{ "type": "URL", "indicator": "https://woodsubkfc.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://woodsubkfc.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3775809184, "indicator": "https://woodsubkfc.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 35, "pulses": [ { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b93e70b75e7dce7168f4dd", "name": "Google - Lumma Stealer| QakBot | Emotet", "description": "Lumma is classified as a stealer - a type of malware that extracts sensitive information from infected devices.\n\nYou can't see it. You will see https://www.google.com and your search. It's hidden spyware. extremely malicious. Targeted individual.", "modified": "2024-02-29T17:01:09.717000", "created": "2024-01-30T18:22:40.905000", "tags": [ "ssl certificate", "whois record", "threat roundup", "contacted", "historical ssl", "referrer", "urls url", "whois whois", "october", "resolutions", "august", "execution", "installer", "iframe", "malware", "core", "emotet", "lumma stealer", "ransomexx", "azorult", "ursnif", "hacktool", "june", "qakbot", "qbot", "april", "targeting", "tsara brashears", "active threat" ], "references": [ "google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]", "toolbarqueries.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 46, "FileHash-SHA256": 3377, "hostname": 2502, "URL": 8531, "domain": 1250, "CVE": 2 }, "indicator_count": 15758, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7e6e042a968005f7a5552", "name": "Content Reputation | ET | Botnet | Targeting", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-17T14:40:32.084000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659719b77c383c73c05208a9", "name": "Content Reputation | ET | Botnet | Targeting", "description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "modified": "2024-02-03T19:04:07.916000", "created": "2024-01-04T20:48:55.431000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc13594cf21dbe00b94807", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection", "description": "", "modified": "2024-02-03T19:04:07.916000", "created": "2024-02-01T21:55:37.581000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "65b85faa9b8e3e1206d7f25c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3501, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28411, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cb4447c8d87ad85fa75", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:24.343000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cbe6bdbe24ecb170b24", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:34.083000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c1516990d69644fb3d0", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:57.372000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c17e69371b34a573f72", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:59.619000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655657ca2e402d4f98283de9", "name": "https://myaccount.uscis.gov/ ", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:56:26.312000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65565477da453c46f05a6ac4", "name": "BTW VirusTotal - \" interesting files written to disk during execution'", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:42:15.123000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655652f6ddcbf952a599cded", "name": "https://myaccount.uscis.gov/", "description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:35:50.285000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655650c9b2be6cc930c92cf3", "name": "https://myaccount.uscis.gov/", "description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:26:33", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653960d6d09796c4ba4c1e90", "name": "CVE JAR Found | Massive active Malicious | unlatched issues", "description": "Monitoring Tsara Brashears - Extreme cyber attack against documented as alleged SA victim. Non-Adversarial Tsara Brashears inflicted with highly malicious Malware auto populated. Massive online attack on Tsara Brashears defaced digital profile. Attacks primarily by Adversarial Tulach malware.\nDaisy Coleman [deceased] moderate malware attack against target a documented SA survivor.\nThis is a revenge attacker. \nPhysical harm imminence [HIGH] SOS\nEdward Snowden speaks of similar attacks against American citizen. Was target warned of malware status or massive attack. Made aware of Botnet by any authority?", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T18:39:18.723000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f219ce051cf01e9a6be8b", "name": "Speechless | Critical", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:23:08.790000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f2100b535d359accfc3a6", "name": "CVE JAR Found | Massive active Malicious | Tulach & AIG associated | Scam", "description": "", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-30T03:20:32.349000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "white", "cloned_from": "653960d6d09796c4ba4c1e90", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2295, "FileHash-MD5": 656, "FileHash-SHA256": 7727, "hostname": 2252, "email": 3, "URL": 4406, "CVE": 10 }, "indicator_count": 17990, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653977171f690fb9ab978bf3", "name": "Speechless | Critical", "description": "Cyber threat. Target Tsara Brashears is now Tsara Brashears Malware. Looks like an investigation, might be a legitimate investigation. I have no insight as to whether investigation is warranted, staged, or silencing?? \nVerdict:\nAdversarial monitoring, harassment, Libel, cyber crime by a genius exploiting regulations and escalation privileges. Target at high risk.", "modified": "2023-11-24T12:03:49.398000", "created": "2023-10-25T20:14:14.532000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2457, "FileHash-MD5": 656, "FileHash-SHA256": 8455, "hostname": 2605, "email": 3, "URL": 5548, "CVE": 12 }, "indicator_count": 20377, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "imp.fusioninstall.com", "http://45.159.189.105/bot/regex", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "http://watchhers.net/index.php. [ data collection]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "http://www.defi-realty.com/jem9/ [phishing]", "https://totallyspies.1000hentai.com/tag/clover-porn/", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.redtube.comyouporn.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "dropboxpayments.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "pirateproxy.cc", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "ww16.porn-community.porn25.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "https://twitter.com/PORNO_SEXYBABES", "838114.parkingcrew.net", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "youramateuporn.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]", "1.116.217.151 [Cobalt Strike]", "static-push-preprod.porndig.com", "https://severeporn-com.pornproxy.page/", "xhamster.comyouporn.com", "103.224.212.34 scanning_host", "weconnect.com", "ddos.dnsnb8.net [CnC]", "https://us-bankofamerica.com/PhoneVerification.php/", "www.supernetforme.com [CnC]", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "0-1.duckdns.org [malicious]", "https://www.crccolorado.com/dr-adam-sang", "http://iphones.email [redirection chain]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://tshop.doido.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "yoursexy.porn | indianyouporn.com", "remotewd.com", "tulach.cc [Adversarial Malware Attack Source]", "newrelic.se [Apple Collection]", "http://alohatube.xyz/search/tsara-brashears", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend", "vtbehaviour.commondatastorage.googleapis.com", "www.pornhub.com [password decryption]", "nr-data.net [ Hidden private Apple data collection]", "msftconnecttest.com", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "apple-dns.net. [Apple email collection]", "cdn.pornsocket.com", "toolbarqueries.google.com.uy", "https://www.songculture.com/tsara-lynn-brashears-music", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "12 CVE exploits posted in 'scoreblue' CVE tally", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "qbot.zip", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "http://secure.indianpornpass.com/track/hotpornstuff", "192.185.223.216 | 192.168.56.1 [malware]", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "https://attack.mitre.org/software/S0226/", "http://45.159.189.105/bot/regex [phishing | tracking]", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh", "1.download.windowsupdate.com [HiddenTear]", "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "https://www.myminiweb.com/", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "https://sexgalaxy.net/tag/rodneymoore/", "https://pin.it/ [SQLi Dumper]", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com", "traceability-qa.walmartmobile.cn", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "ns2.abovedomains.com", "https://www.sweetheartvideo.com/tsara-brashears/", "qa.companycam.com", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "https://mylegalbid.com/malwarebytes", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "*Patient PII & PHI at critical risk", "init-p01st.push.apple.com", "cams4all.com", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "campaign-manager.sharecare.com", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "http://alive.overit.com/~schoolbu/badmood3.exe", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "https://remote.krogerlaw.com", "http://xred.mooo.com", "ns3.hallgrandsale.ru", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "104.200.22.130 Command and Control", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "jimgaffigan.com", "www.anyxxxtube.net", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "watchhers.net", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "24-70mm.camera", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "walmartmobile.cn", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "Unique antivirus detections for files communicating with IP address", "mwilliams.dev@gmail.com | piratepages.com", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "dvd-game-new-releases.info", "djcodychase.com", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "POD 18447 for Cox.xls", "aig.com", "https://tulach.cc/", "mobile.twitter.com [titled hashtag Daisy Coleman]", "CS IDS Rules: MALWARE Possible Compromised Host" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Daisy coleman", "Tulach malware", "Gootloader", "Death bitches", "Twitter malware", "Lumma", "Virtool", "Generic.malware", "Trojan:win32/detplock", "Bit rat", "Maltiverse", "Trojan:win32/antavmu.d", "Gen:variant.zusy", "Defacement", "Facebook ht", "Beach research", "Razy", "Ransomware", "Relic", "Hacktool", "Webtoolbar", "Lumma stealer", "Trickbot - s0266", "Tsara brashears", "Trojan.injector", "Remcos", "Azorult", "Swisyn", "Hiddentear", "Hallrender", "Fonepaw", "Agent tesla - s0331", "Cve jar", "Dark power", "Alf:heraklezeval:trojan:win32/predator!rfn", "Emotet", "Ransomexx", "Simda", "Adware affiliate", "Pwndlocker", "Artemis", "Suppobox", "Redline", "Quasar rat", "Formbook", "Apple malware", "Vidar", "Worm:win32/benjamin", "Backdoor:linux/mumblehard", "Trojan.trojanbanker.android", "Smoke loader", "Content reputation", "Et", "Crack", "Cobalt strike", "Fusioncore", "Dangerousobject.multi", "Qbot", "Win.dropper.xtremerat-7708589-0", "Amazon aes", "Azorult cnc", "Raccoon", "Risktool.androidos.beto", "Tulach", "Zbot", "Dapato", "Lolkek", "Possible", "Tofsee", "Chaos", "Lockbit", "Hallgrand", "Maui ransomware", "Qakbot", "Delphi", "Trojanspy", "Dnspionage", "Networm" ], "industries": [ "Medical", "Civil society", "Nutritional", "Health", "Patients", "Medicine", "Healthcare" ], "unique_indicators": 167344 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/woodsubkfc.com", "whois": "http://whois.domaintools.com/woodsubkfc.com", "domain": "woodsubkfc.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 35, "pulses": [ { "id": "668cebf4b3498d2f9b9e9596", "name": "Trojan:Win32/Predator - walmartmobile.cn", "description": "Monitoring, invalid URLs, malicious redirects, cams,cyber crime, red team contract. Collects targets, calls, photos, network, dns, disables proxy, movies services,, messages, shopping habits, contacts. Intrusive as always.", "modified": "2024-08-08T07:05:50.946000", "created": "2024-07-09T07:51:16.371000", "tags": [ "popularity", "ingestion time", "utc cisco", "umbrella", "utc statvoo", "record type", "server", "dnssec", "email", "dns replication", "android", "files", "china unknown", "as4837 china", "aaaa", "search", "moved", "net technology", "for privacy", "name servers", "redacted for", "encrypt", "body", "next", "passive dns", "urls", "scan endpoints", "all scoreblue", "url http", "http", "ip address", "related nids", "files location", "ipv4", "url analysis", "location china", "script script", "td tr", "please", "please enter", "za z0", "server ca", "meta", "a li", "a domains", "ul div", "443 ma2592000", "gmt content", "servers", "https", "self", "hostname", "window", "icloud_apple_id", "apple", "apple ios", "apple id", "apple message", "msie", "chrome", "title", "head body", "center hr", "united", "unknown", "as32934", "as13414 twitter", "as19679 dropbox", "as20940", "kos", "walmart", "calls", "checking", "latest version", "invoked methods", "highlighted", "shell commands", "written", "files deleted", "files copied", "file", "process", "post http", "request", "get http", "dns resolutions", "ip traffic", "process32nextw", "shellexecuteexw", "get na", "entries", "medium", "show", "china as4837", "yara detections", "regsetvalueexw", "dock", "write", "win32", "persistence", "execution", "copy", "cname", "asnone united", "registrar", "as2914 ntt", "hichina", "certificate", "showing", "as142403 yisu", "china asn", "suspicious", "open", "write c", "create c", "read c", "windows nt", "wow64", "slcc2", "media center", "default", "discovery", "xebrbxeax1ezxf0", "sxe0x0cx1cxf8", "invalid url", "status", "reflection", "telephony", "yuming", "domain", "expiration date", "div div", "a div", "span a", "script urls", "p span", "pragma", "trident", "form", "applei_imessage_ios", "as4134 chinanet", "as3356 level", "asnone china", "date", "tsara brashears", "rwi dtools", "pyinstaller", "password", "cybercrime", "valid from", "number", "thumbprint", "ipwnderv1", "hacktool", "phishing", "facebook", "all search", "otx scoreblue", "pulse submit", "injection", "mobile", "tmobile" ], "references": [ "walmartmobile.cn", "malware_hosting IP's:42.177.83.115 | IPv4 42.177.83.134 malware_hosting", "Apple Spy: iphone-say.com apple-prompt-iphone.com http://www.apple-prompt-iphone.com/", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydstaging2zsendlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Apple Spy: cmlinki-img-3radio-iphone-web-cmlinki3-iphone-web-cmlinkiradio.redirectme.netoppofentryd.0-iphone-web-cmlinkiradio-iphone-web-cm", "Apple Spy: redirectme.netiphonepofentrydstaging2znetoppofindlabstryd.netoppofindhypernova.ali.zomans.com", "Apple Spy: 113-dd-hppg.redirectme.netiphonepofentrydiotging2znetoppofindlabstryd.0-enakamai-lanwpradiocen6.ali.zomans.com", "Trojan:Win32/Predator!: FileHash-SHA256 1cf6574bb7edda08a539fdb2885a959071b60d9c9bfb44ee1b9912b3864ff758", "Trojan:Win32/Predator!: FileHash-SHA256 493323dd39ebb91b861e63c7341d037877886bc3a6cf4deaef08ef76bb9db15e", "Trojan:Win32/Predator!: FileHash-SHA256 f7da3472e0f81fa37ea05cc91338b6a693a1fcd4d30025fdfbfc7f2f0119fa20", "traceability-qa.walmartmobile.cn", "http://img01.mifile.cn/m/apk/mishop_3.0.20141212_1.1.1.apk", "http://tshop.doido.com", "Antivirus Detections Win32:Malware-gen: Yara Detections: stack_string", "Alerts: dead_host network_icmp antivm_generic_services creates_largekey disables_proxy dumped_buffer network_cnc_http", "Alerts: network_http allocates_rwx stealth_window injection_process_search process_interest", "Antivirus Detections: ALF:HeraklezEval:Trojan:Win32/Asacky!rfn , ALF:HeraklezEval:Trojan:Win32/Predator!rfn , Win.Trojan.Generic-9789164-0", "IDS Detections: : Suspicious User-Agent (HTTP Downloader) Suspicious User-Agent containing Loader Observed", "Unique antivirus detections for files communicating with IP address", "hpcc-page.cnc.ccgslb.com.cn 121.30.192.9 58.20.206.154 139.209.89.125 124.67.23.253 61.180.227.172 61.162.172.185 IP Traffic", "TCP 123.125.159.119:80 (gad.page.cnc.ccgslb.com.cn) TCP 121.30.192.9:80 (hpcc-page.cnc.ccgslb.com.cn) TCP 121.30.193.30: Technique ID: T1140 Technique Name: Deobfuscate/Decode Files or Information Medium { \"families\": [], \"description\": \"One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.\", Technique ID: T1055 Technique Name: Process Injection A common use for this is when applications run in the system tray, but don't also want to sh" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Brazil", "Ireland", "Germany", "Chile", "China", "Switzerland" ], "malware_families": [ { "id": "RiskTool.AndroidOS.beto", "display_name": "RiskTool.AndroidOS.beto", "target": null }, { "id": "Trojan.TrojanBanker.Android", "display_name": "Trojan.TrojanBanker.Android", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Predator!rfn", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1737, "hostname": 4754, "URL": 11496, "FileHash-MD5": 96, "FileHash-SHA1": 79, "FileHash-SHA256": 2457, "email": 11, "SSLCertFingerprint": 2 }, "indicator_count": 20632, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b85faa9b8e3e1206d7f25c", "name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ", "description": "", "modified": "2024-06-15T04:39:29.943000", "created": "2024-01-30T02:32:10.210000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "ssl certificate", "whois record", "historical ssl", "whois whois", "apple ios", "contacted", "tsara brashears", "whois", "resolutions", "password", "hacktool", "crypto", "execution", "emotet", "installer", "banker", "keylogger", "critical", "copy", "content reputation", "et", "submission", "comodo valkyrie", "verdict", "bitdefender", "history first", "analysis", "utc http", "response final", "url http", "search", "entries", "passive dns", "urls", "record value", "unknown", "united", "gmt content", "dynamic report", "0 report", "date", "accept", "name servers", "scan endpoints", "all octoseek", "pulse pulses", "http", "ip address", "related nids", "files location", "http response", "final url", "serving ip", "address", "ipv4", "files", "location china", "asn as45090", "dns resolutions", "twitter", "log id", "gmtn", "tls web", "encrypt", "ca issuers", "f20b201c", "b467295d", "b2931e3f", "false", "as15169 google", "domain", "msie", "windows nt", "wow64", "slcc2", "media center", "create c", "write c", "read c", "medium", "next", "dock", "write", "persistence", "delete c", "path", "xport", "default", "years ago", "modified", "created", "email", "active created", "white", "filehash", "memcommit", "tlsv1", "show", "win32", "malware", "get na", "systemroot", "starizona", "lscottsdale", "creation date", "emails", "domain name", "showing", "pulse submit", "amazon", "server ca", "b535", "tulach", "hallrender", "hallgrand", "briansabey", "brian sabey", "mark", "mark brian sabey", "mark sabey", "cybercrime", "cyber stalking", "botnet", "evader", "hacker", "targeting" ], "references": [ "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp", "dvd-game-new-releases.info", "1.116.217.151 [Cobalt Strike]", "https://www.myminiweb.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears", "vtbehaviour.commondatastorage.googleapis.com", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tulach.cc/", "ns3.hallgrandsale.ru" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Content Reputation", "display_name": "Content Reputation", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" } ], "industries": [], "TLP": "white", "cloned_from": "659719b77c383c73c05208a9", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13324, "FileHash-MD5": 718, "FileHash-SHA1": 617, "FileHash-SHA256": 5761, "domain": 3503, "hostname": 4475, "CVE": 1, "email": 3, "SSLCertFingerprint": 11 }, "indicator_count": 28413, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "673 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1ece3b935bda6b9d3e10b", "name": "Cyber espionage & Ransomware attacks spread via Phone call? II.", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-03-01T14:57:39.828000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 88, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c970ef974adf44ef24c9a2", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-12T01:14:23.337000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c09e487b3899f3442aed96", "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c09e487b3899f3442aed96", "name": "Cyber espionage & Ransomware attacks spread via Phone call?", "description": "", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-05T08:37:28.774000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": "65c012b5e56cc9474ebb701f", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c012b5e56cc9474ebb701f", "name": "Cyber espionage & Ransomware attacks spread via Phone calls", "description": "Very strange and critical occurrences of businesses, healthcare facilities and individuals becoming part of a botnet and hacking attack when call connects with certain individuals. Healthcare facilities may be spreading this very critical vulnerability. Attacker has access to every device & camera of affected.\n*Smoke Loader\nSmoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "modified": "2024-03-05T22:00:26.685000", "created": "2024-02-04T22:41:55.432000", "tags": [ "ssl certificate", "whois record", "contacted", "execution", "historical ssl", "contacted urls", "whois whois", "zfglddkl58a url", "q0gpyr1balpdgpo", "relacionada", "formbook", "smoke loader", "iframe", "january", "resolutions", "referrer", "threat roundup", "snatch", "ransomware", "hacktool", "record type", "ttl value", "tsara brashears", "apple", "apple ios", "password bypass", "malware", "password", "apple phone", "download", "crypto", "relic", "monitoring", "installer", "tofsee", "core", "qakbot", "lumma stealer", "ransomexx", "communicating", "el0kpmhlfz", "qdkxgr24yz", "kgs0", "kls0", "malicious", "phi", "pii", "dofoil", "worn", "rat", "network", "dns", "trojan", "remote", "phone hacking", "hacked by phone call", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "html info", "information", "meta tags", "network", "march", "july", "september", "february", "redline stealer", "probe", "raccoonstealer", "no data", "tag count", "thu apr", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "asyncrat", "redlinestealer", "diamondfox", "first", "botnet command and control", "python connection", "tulach" ], "references": [ "https://www.crccolorado.com/dr-adam-sang", "CS IDS Rules: MALWARE Possible Compromised Host", "CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt", "CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses", "CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst", "http://www.defi-realty.com/jem9/ [phishing]", "http://45.159.189.105/bot/regex [phishing | tracking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://attack.mitre.org/software/S0226/", "http://watchhers.net/index.php. [ data collection]", "remotewd.com", "https://remote.krogerlaw.com", "device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com", "www.pornhub.com [password decryption]", "www.supernetforme.com [CnC]", "ddos.dnsnb8.net [CnC]", "http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing]", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743", "http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs", "https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!]", "https://us-bankofamerica.com/PhoneVerification.php/", "http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection]", "http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip", "http://iphones.email [redirection chain]", "*Patient PII & PHI at critical risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Smoke Loader", "display_name": "Smoke Loader", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Razy", "display_name": "Razy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "DangerousObject.Multi", "display_name": "DangerousObject.Multi", "target": null }, { "id": "Trojan.Injector", "display_name": "Trojan.Injector", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Defacement", "display_name": "Defacement", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [ "Healthcare", "Civil Society", "Patients" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 244, "FileHash-SHA1": 237, "FileHash-SHA256": 5468, "URL": 3747, "domain": 2512, "hostname": 1593, "CVE": 4 }, "indicator_count": 13805, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d6df9d36bac14ccd87", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:06.808000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8134, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65be56d257bb241c4fa3f68d", "name": "AZORult CnC", "description": "Behaviors\n\nSteals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version\nSteals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software\nSteals stored email credentials of different mail clients\nSteals user names, passwords, and hostnames from different browsers\nSteals bitcoin wallets - Monero and uCoin\nSteals Steam and telegram credentials\nSteals Skype chat history and messages\nExecutes backdoor commands from a remote malicious user to collect host Internet protocol (IP) information, download/execute/delete file\nCapabilities\n\nInformation Theft\nBackdoor commands\nExploits\nDownload Routine\nImpact\n\nCompromise system security - with backdoor capabilities that can execute malicious commands, downloads and installs additional malwares", "modified": "2024-03-04T14:03:17.574000", "created": "2024-02-03T15:08:02.291000", "tags": [ "ssl certificate", "whois record", "threat roundup", "whois whois", "january", "historical ssl", "referrer", "april", "resolutions", "siblings domain", "march", "february", "obz4usfn0 http", "problems", "threat network", "infrastructure", "st201601152", "startpage", "iframe", "united", "unknown", "search", "showing", "united kingdom", "creation date", "aaaa", "cname", "scan endpoints", "all octoseek", "date", "next", "script urls", "soa nxdomain", "link", "xml title", "portugal", "domain", "status", "expiration date", "pulse pulses", "as44273 host", "domain robot", "as61969 team", "body", "as8075", "netherlands", "servers", "emails", "duo insight", "type", "asnone united", "name servers", "germany unknown", "passive dns", "as14061", "as49453", "lowfi", "a domains", "urls", "privacy inc", "customer", "trojandropper", "dynamicloader", "default", "medium", "entries", "khtml", "download", "show", "activity", "http", "copy", "write", "malware", "adware affiliate", "hostname", "trojan", "pulse submit", "url analysis", "files", "as212913 fop", "russia unknown", "as397240", "as15169 google", "as19237 omnis", "as22169 omnis", "as20068 hawk", "as133618", "as47846", "as22489", "encrypt", "record value", "pragma", "accept ch", "ireland unknown", "msie", "chrome", "style", "gmt setcookie", "as6724 strato", "core", "win32", "backdoor", "expl", "exploit", "ipv4", "virtool", "azorult cnc", "possible", "as7018 att", "regsetvalueexa", "china as4134", "service", "asnone", "dns lookup", "ransom", "push", "eternalblue", "recon", "playgame", "domain name", "as13768 aptum", "meta", "error", "as43350 nforce", "as55286", "as60558 phoenix", "ip address", "registrar", "1996", "contacted", "unlocker", "red team", "af81 http", "execution", "open", "whois sslcert", "suspicious c2", "cve202322518", "collection", "vt graph", "excel", "emotet", "metro", "jeffrey reimer pt", "sharecare", "tsara brashears", "apple", "icloud" ], "references": [ "https://www.sharecare.com/doctor/jeffrey-reimer-6ie6z", "qbot.zip", "imp.fusioninstall.com", "https://mylegalbid.com/malwarebytes", "192.185.223.216 | 192.168.56.1 [malware]", "http://45.159.189.105/bot/regex", "https://success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null", "http://config.premiuminstaller.com/config/ls/offers.json?pid=installer&ts=2014-10-14T18:54:45.9443368Z&br=CR&adprovider=marmarf", "xhamster.comyouporn.com", "cams4all.com", "watchhers.net", "weconnect.com", "icloud-appleidsuport.com | appleid.com | apple.com | apple-dns.net", "http://install.oinstaller5.com/o/jfaquew_jupdate/setup.exe?mode=dlshift&sf=0&subid=a208&filedescription=setup&adprovider=jfaquew&cpixe", "init.ess.apple.com | 0-courier.push.apple.com | dns1.registrar-servers.com", "Apple -dns1.registrar-servers.com | emails.redvue.com | icloud-appleidsuport.com", "https://songculture.com/tsara-brashears | https://www.songculture.com/tsara-brashears-music", "https://www.songculture.com/tsara-lynn-brashears-music", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "youramateuporn.com", "ns2.abovedomains.com", "ww16.porn-community.porn25.com", "https://totallyspies.1000hentai.com/tag/clover-porn/", "pirateproxy.cc", "mwilliams.dev@gmail.com | piratepages.com", "838114.parkingcrew.net", "static-push-preprod.porndig.com", "www.redtube.comyouporn.com", "https://severeporn-com.pornproxy.page/", "https://spankbang-com.pornproxy.page/593ao/video/sunshine%20mouth%20stuffed%20gagged%20and%20tied%20with%20her%20friend", "yoursexy.porn | indianyouporn.com", "source-6.youporn.express | source-6.sexpornsource.com\t hostname\tsource-3.xxxporn.club | source-2.pornhubs.best | source-2.freepornxo.com", "cdn.pornsocket.com", "http://secure.indianpornpass.com/track/hotpornstuff", "www.anyxxxtube.net", "https://twitter.com/PORNO_SEXYBABES", "http://www.my-sexcam.com/mf6w/?K48hY=mUHPm4taPKwCazx4uoqkcvO3m838TOpLC/XyTruUQEV1lwGjr5ldYJa4yIBvf0ifHE4=&sHB=DPfXxzFpo", "campaign-manager.sharecare.com", "qa.companycam.com", "https://app.join.engineeringim.com/e/er?utm_source=eloqua&utm_medium=email&utm_campaign=&sp_cid=&utm_content=PB_NAM23BSE_PB_06_BATT_PW_Shmuel&sp_aid=27591&sp_rid=31788066&sp_eh=577a94ae55b9b9c106e776e684a2413f8c4dac061fc5b814c054be9e822698d9&s=949606000&lid=79146&elqTrackId=2AD273F3E5AB3555FA7D5FA11122C7C2&elq=a46790e54bbc42d2b0adbc4e6533814e&elqaid=27591&elqat=1", "24-70mm.camera", "dropboxpayments.com", "http://r3.i.lencr.org/ | r3.i.lencr.org | c.lencr.org | x1.c.lencr.org", "http://xred.mooo.com", "https://sexgalaxy.net/tag/rodneymoore/", "http://alive.overit.com/~schoolbu/badmood3.exe", "jimgaffigan.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United Kingdom of Great Britain and Northern Ireland", "United States of America", "Netherlands", "Germany", "France" ], "malware_families": [ { "id": "Adware Affiliate", "display_name": "Adware Affiliate", "target": null }, { "id": "AZORult CnC", "display_name": "AZORult CnC", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 737, "FileHash-SHA1": 692, "FileHash-SHA256": 7488, "URL": 6694, "domain": 5247, "hostname": 2932, "email": 49, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 23842, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "776 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://woodsubkfc.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://woodsubkfc.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776640986.737718 }