{ "type": "URL", "indicator": "https://wsc1.jomax.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wsc1.jomax.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2573955206, "indicator": "https://wsc1.jomax.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 36, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "64 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cc6e2c6c5bb617fa7fa892", "name": "3", "description": "", "modified": "2024-08-27T03:05:18.727000", "created": "2024-08-26T11:59:40.174000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66a5c2445cf4bbf984e98861", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Krishivpatel", "id": "292085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a5c2445cf4bbf984e98861", "name": "Social Engineering Crime Victims into Tracking Botnets | Fraud", "description": "Social Engineering 'S' Assault Victims into Tracking Botnets. This goes against basic human rights. An organization named 'The Blue Bench' referred victim to The Initiative for advocacy. She was social engineered, severely compromised and sent diverted from 'The Blue Bench' Colorado. They denied treatment for assault victim in 2022, while The Initiative ' Brian Sabey's stuff, tracked and hijacked phone and location, conversations.\nAuto-populated: \"Last HTTPS certificate\" is the last one to be issued on the internet, according to the website, and it is believed to have been signed by a member of the US government.", "modified": "2024-08-27T03:05:18.727000", "created": "2024-07-28T04:00:04.773000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1bf9ae4cfe4669a779c", "name": "Agent Tesla", "description": "", "modified": "2023-12-06T16:30:55.036000", "created": "2023-12-06T16:30:55.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1b6abdfb076f2821940", "name": "FORMBOOK", "description": "", "modified": "2023-12-06T16:30:46.983000", "created": "2023-12-06T16:30:46.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1af4208c92832a9ae98", "name": "SKYNET", "description": "", "modified": "2023-12-06T16:30:39.892000", "created": "2023-12-06T16:30:39.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1a14208c92832a9ae97", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:25.110000", "created": "2023-12-06T16:30:25.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a197d1f648020fa5206c", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:15.426000", "created": "2023-12-06T16:30:15.426000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a18f5700cbc5aba025c9", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:07.880000", "created": "2023-12-06T16:30:07.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708a1071ea174c9c69a4f4", "name": "Legalbrains.com", "description": "", "modified": "2023-12-06T14:49:52.661000", "created": "2023-12-06T14:49:52.661000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 112, "hostname": 142, "domain": 133, "URL": 326, "email": 2, "FileHash-SHA1": 1 }, "indicator_count": 716, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657089a4538a6eb3a87d0377", "name": "123hp.com", "description": "", "modified": "2023-12-06T14:48:04.767000", "created": "2023-12-06T14:48:04.767000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 919, "domain": 1558, "URL": 3705, "hostname": 767, "email": 1, "FileHash-MD5": 6, "FileHash-SHA1": 21 }, "indicator_count": 6979, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657080319ef27fa72eb62599", "name": "jasmineforus.com ~ Texas Rep. Jasmine Crockett", "description": "", "modified": "2023-12-06T14:07:45.018000", "created": "2023-12-06T14:07:45.018000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 123, "FileHash-SHA256": 300, "domain": 135, "URL": 305, "email": 1, "FileHash-SHA1": 3 }, "indicator_count": 867, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ff1fa425d03a709a35c", "name": "henrycuellar.com", "description": "", "modified": "2023-12-06T14:06:41.169000", "created": "2023-12-06T14:06:41.169000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 222, "hostname": 235, "domain": 142, "URL": 623, "email": 1, "FileHash-SHA1": 5, "FileHash-MD5": 2 }, "indicator_count": 1230, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fd57848a657f774d169", "name": "www.joseforda.com", "description": "", "modified": "2023-12-06T14:06:13.435000", "created": "2023-12-06T14:06:13.435000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 270, "hostname": 141, "URL": 671, "domain": 220, "email": 1, "FileHash-SHA1": 16 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e9077f40bbd219682d7", "name": "hrcoffice.com", "description": "", "modified": "2023-12-06T14:00:48.486000", "created": "2023-12-06T14:00:48.486000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 424, "URL": 478, "domain": 310, "hostname": 214, "email": 2 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e7a99c27e9bccdf7ff7", "name": "bean.net", "description": "", "modified": "2023-12-06T14:00:26.015000", "created": "2023-12-06T14:00:26.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 204, "domain": 250, "hostname": 277, "URL": 795, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 1528, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e506f793f135ee6fdf9", "name": "prn.com", "description": "", "modified": "2023-12-06T13:59:44.766000", "created": "2023-12-06T13:59:44.766000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 472, "FileHash-SHA256": 123, "URL": 1540, "domain": 122, "email": 1, "FileHash-SHA1": 13 }, "indicator_count": 2271, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c8f9ff01647942e89ab9", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:17.482000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c8ff2590e49e9ecd6b67", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:23.127000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f8c90130e2cd1b887859ad", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "Extremely Robust hacking campaign for a single individual with a small publishing company. \nTsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme.\nIPv4 45.159.189.105 command_and_control\t\t\t\t\t\nURL\nhttp://matfyz.cz/ phishing\t\t\tNo Expiration\t\nURL\nhttp://www.craftbychristians.com/wufn/ phishing\n No Expiration\t\t\n\nURL\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration\t\t\nhttps://www.milehighmedia.com/legal/2257 phishing\t\t\t\nIPv4 20.99.133.109 scanning_host\t\t\t\nIPv4 218.85.157.99 scanning_host", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T18:46:25.683000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90d760420bd54f0bba54e", "name": "SKYNET ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:38:30.148000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f8c8f9ff01647942e89ab9", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90d8d4f80ef4f0b04fb01", "name": "FORMBOOK ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:38:53.528000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f90d760420bd54f0bba54e", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f90e2ef2e0986363ea32d6", "name": "Agent Tesla ", "description": "", "modified": "2023-10-06T16:01:17.992000", "created": "2023-09-06T23:41:34.623000", "tags": [ "contacted", "threat roundup", "whois record", "execution", "october", "april", "whois whois", "december", "march", "tsara brashears", "copy", "core", "hacktool", "emotet", "goldbackdoor", "attack", "metro", "nanocore", "remcos", "qakbot", "download", "malware", "hijacker", "monitoring", "skynet", "contacted urls", "ssl certificate", "historical ssl", "august", "formbook", "agent tesla", "korplug", "relic", "colibri loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64f90d8d4f80ef4f0b04fb01", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6938, "FileHash-MD5": 65, "FileHash-SHA1": 66, "FileHash-SHA256": 2906, "domain": 1727, "hostname": 1675, "email": 1, "CVE": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "967 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "623e21e7c0809eb2cf33bb7a", "name": "Legalbrains.com", "description": "", "modified": "2022-04-24T00:01:15.470000", "created": "2022-03-25T20:11:19.655000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "date", "registry domain", "llc domain", "algorithm", "key identifier", "x509v3 subject", "llc creation", "bitdefender", "comodo valkyrie", "verdict", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 112, "hostname": 142, "URL": 326, "domain": 133, "email": 2, "FileHash-SHA1": 1 }, "indicator_count": 716, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1498 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6235f184c7c0b2c41f66c020", "name": "123hp.com", "description": "", "modified": "2022-04-18T00:07:16.048000", "created": "2022-03-19T15:06:44.592000", "tags": [ "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "date", "contact email", "llc domain", "dns replication", "subdomains", "comodo valkyrie", "verdict", "rank value", "ingestion time", "statvoo", "utc alexa", "utc cisco", "umbrella", "123HP.com", "ludevices.com" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 767, "URL": 3705, "domain": 1558, "FileHash-SHA256": 919, "CVE": 2, "email": 1, "FileHash-MD5": 6, "FileHash-SHA1": 21 }, "indicator_count": 6979, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1504 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622a31e3f784acafa9be32ca", "name": "MesaCounty.net", "description": "", "modified": "2022-04-09T00:00:32.009000", "created": "2022-03-10T17:14:11.182000", "tags": [ "server", "date", "creation date", "passive dns", "lookups", "registrant", "wild west", "domains", "iana id", "registrar abuse", "dns records", "record type", "ttl value", "whois lookup", "create date", "domain name", "domain", "expiry date", "name server" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 149, "hostname": 50, "domain": 35, "FileHash-SHA256": 24, "email": 1 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1513 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622150d52ef6a3ff789712e9", "name": "jasmineforus.com ~ Texas Rep. Jasmine Crockett", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T23:35:49.396000", "tags": [ "key identifier", "x509v3 subject", "algorithm", "v3 serial", "number", "issuer", "subject public", "key info", "key algorithm", "x509v3 key", "first", "passive dns", "dns records", "record type", "ttl value", "cname", "data", "cus cngo", "daddy secure", "g2 lscottsdale", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "date", "status texthtml", "content type", "links community", "outgoing links", "jasmineforus", "submission", "comodo valkyrie", "verdict", "history first", "analysis", "utc http", "response final", "url https", "status code", "body length", "upgrade" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 123, "URL": 305, "domain": 135, "FileHash-SHA256": 300, "email": 1, "FileHash-SHA1": 3 }, "indicator_count": 867, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220512359fbecf37ab5c724", "name": "henrycuellar.com", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-03T05:24:51.197000", "tags": [ "server", "key identifier", "date", "x509v3 subject", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "x509v3 key", "info", "domain status", "cname", "llc creation", "categories", "comodo valkyrie", "verdict", "submission", "history first", "analysis", "utc http", "response final", "url https", "ip address" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 235, "URL": 623, "domain": 142, "FileHash-SHA256": 222, "email": 1, "FileHash-SHA1": 5, "FileHash-MD5": 2 }, "indicator_count": 1230, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1521 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621fd8596d70796ecf4dcd7f", "name": "www.joseforda.com", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-02T20:49:29.421000", "tags": [ "date", "subdomains", "whois lookups", "registrant", "historical ssl", "graph summary", "domain status", "server", "key identifier", "threatseeker", "comodo valkyrie", "verdict", "ranks rank", "value ingestion", "time statvoo", "utc alexa" ], "references": [ "https://www.virustotal.com/gui/domain/joseforda.com/relations" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 141, "URL": 671, "domain": 220, "FileHash-SHA256": 270, "email": 1, "FileHash-SHA1": 16 }, "indicator_count": 1319, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1521 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62112c3b9bd45722a3fd2717", "name": "hrcoffice.com", "description": "", "modified": "2022-03-21T00:02:26.523000", "created": "2022-02-19T17:43:23.520000", "tags": [ "date", "server", "available from", "code", "proxy", "llc registrar", "registry tech", "iana id", "registrar abuse", "registrar url", "april", "domain status", "rank value", "ingestion time", "alexa", "utc statvoo", "dns records", "record type", "ttl value", "whois lookup", "submission", "history first", "analysis", "utc http", "response final", "url http", "ip address", "status code", "body length", "b body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 478, "hostname": 214, "FileHash-SHA256": 424, "domain": 310, "email": 2 }, "indicator_count": 1428, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620d29ed0ef3834dbf9a936b", "name": "bean.net", "description": "", "modified": "2022-03-18T00:04:44.902000", "created": "2022-02-16T16:44:29.089000", "tags": [ "date", "server", "algorithm", "key identifier", "subdomains", "whois lookups", "registrant", "wild west", "domains", "iana id", "info", "domain status", "registrar abuse", "contact phone", "dns records", "record type", "ttl value", "data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 277, "URL": 795, "domain": 250, "FileHash-SHA256": 204, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 1528, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620c1bbdd69adb1d392d60dd", "name": "prn.com", "description": "", "modified": "2022-03-17T00:01:08.614000", "created": "2022-02-15T21:31:41.994000", "tags": [ "server", "registrar abuse", "date", "win32 exe", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "registry domain", "key identifier", "comodo valkyrie", "ranks rank", "value ingestion", "time statvoo", "utc alexa", "utc cisco", "umbrella", "dns records", "record type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Media" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1540, "hostname": 472, "domain": 122, "FileHash-SHA256": 123, "email": 1, "FileHash-SHA1": 13 }, "indicator_count": 2271, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "https://www.virustotal.com/gui/domain/joseforda.com/relations", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Be did wear a gator making it improbable for positive identification", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "youngcoders.ng", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "Victim was then given numbers to workers compensation doctors who didn't speak English", "https://applemusic-spotlight.myunidays.com/US/en-US?", "Sakula RAT: www.polarroute.com", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "https://www.pornhub.com/video/search?search=tsara+brashears", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door.", "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Was told by advocate that his description matches the male in vehicle following her for months.", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri" ], "malware_families": [ "Trojandownloader:win32/banload", "Alf:heraklezeval:virtool:win32/waledac!rfn", "Sakula rat", "Sakula" ], "industries": [ "Media", "Government", "Technology" ], "unique_indicators": 67435 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jomax.net", "whois": "http://whois.domaintools.com/jomax.net", "domain": "jomax.net", "hostname": "wsc1.jomax.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 36, "pulses": [ { "id": "6a0720634ea305e1776cb0df", "name": "credit: OctoSeek [\u2022Sakula Rat | Porn Name Change\u2022]", "description": "", "modified": "2026-05-15T13:32:19.730000", "created": "2026-05-15T13:32:19.730000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "6681f3bd6a8701371811709b", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c795bb826e6067f37ea127", "name": "'3' clone by credit: krishivpatel", "description": "", "modified": "2026-03-28T08:47:55.537000", "created": "2026-03-28T08:47:55.537000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66cc6e2c6c5bb617fa7fa892", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "64 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cc6e2c6c5bb617fa7fa892", "name": "3", "description": "", "modified": "2024-08-27T03:05:18.727000", "created": "2024-08-26T11:59:40.174000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": "66a5c2445cf4bbf984e98861", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Krishivpatel", "id": "292085", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a5c2445cf4bbf984e98861", "name": "Social Engineering Crime Victims into Tracking Botnets | Fraud", "description": "Social Engineering 'S' Assault Victims into Tracking Botnets. This goes against basic human rights. An organization named 'The Blue Bench' referred victim to The Initiative for advocacy. She was social engineered, severely compromised and sent diverted from 'The Blue Bench' Colorado. They denied treatment for assault victim in 2022, while The Initiative ' Brian Sabey's stuff, tracked and hijacked phone and location, conversations.\nAuto-populated: \"Last HTTPS certificate\" is the last one to be issued on the internet, according to the website, and it is believed to have been signed by a member of the US government.", "modified": "2024-08-27T03:05:18.727000", "created": "2024-07-28T04:00:04.773000", "tags": [ "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "dns replication", "date", "type name", "text", "mailpass mixed", "redacted for", "privacy tech", "postal code", "server", "registrar abuse", "code", "domain id", "iana id", "admin country", "script urls", "a domains", "search", "status", "x fw", "record value", "for privacy", "title", "body", "unknown", "encrypt", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "cc50689e0a", "scan endpoints", "false", "digicert tls", "rsa sha256", "full name", "digicert inc", "organization", "massachusetts", "cambridge", "as54113", "united", "trojan", "passive dns", "showing", "entries", "win32", "flywheel", "sea x", "accept", "twitter", "ransom", "meta", "urls", "all scoreblue", "url http", "pulse pulses", "http", "ip address", "related nids", "files location", "nxdomain", "whitelisted", "cname", "aaaa", "gandi sas", "creation date", "emails", "avast avg", "ipv4", "files", "location united", "ascii text", "pattern match", "png image", "rgba", "suricata stream", "command decode", "size", "sha1", "mitre att", "et tor", "hybrid", "general", "local", "click", "strings", "4624", "glox", "ck id", "suspicious", "learn", "command", "name tactics", "informative", "ck techniques", "development att", "adversaries", "historical ssl", "referrer", "copy", "typosquat infra", "tracker", "jekyll", "hide", "norad tracking", "speakez securus", "nuance china", "phishing", "facebook", "hiddentear", "metro", "malware", "malicious", "skynet", "revil", "pykspa", "next", "as44273 host", "as7018 att", "domain related", "hosting", "name servers", "west domains", "asnone germany", "singapore", "as21499 host", "as20940", "germany", "object", "found", "domain", "files domain", "files related", "pulses otx", "pulses", "tags", "related tags", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "info header", "name md5", "overlay", "dos exe", "moved", "gmt server", "centos", "domains", "dynadot inc", "contacted", "ip detections", "country", "de execution", "parents", "file type", "pulse submit", "url analysis", "win32heur mar", "dynamicloader", "medium", "qaeaav12", "windows", "high", "show", "qbeipbdii", "inetsim http", "powershell", "drweb", "write", "default", "module load", "t1129", "post http", "dock", "june", "delphi", "read c", "renos", "trojan downloader", "social engineering", "dns", "fraud", "cybercrime", "stalking", "tracking", "apple", "apple ios", "samsung", "danger" ], "references": [ "https://the initiative.org | Initiative Co.org | chelsea@theinitiativeco.org", "Antivirus Detections:: Win.Downloader.103202-1 , #LowFiEnableDTContinueAfterUnpacking", "IDS Detections: Long Fake wget 3.0 User-Agent Detected Win32.Renos/Artro Trojan Checkin M1 Win32/Renos Checkin 3", "IDS Detections: W32/TrojanDownloader.Renos CnC Activity Suspicious User-Agent Malware related Windows wget network_http", "Alerts: cape_detected_threat antidebug_devices antivm_generic_disk enumerates_physical_drives deletes_executed_files", "Alerts: deletes_self suricata_alert dynamic_function_loading powershell_download powershell_request stealth_window", "Alerts: injection_rwx network_cnc_http antidebug_setunhandledexceptionfilter stealth_timeout uses_windows_utilities", "https://applemusic-spotlight.myunidays.com/US/en-US?", "applemusic-spotlight.myunidays.com | nr-data.net [Apple Private Data Collection] Sabey Data Center", "http://borowski-duncan.com/?user-agent=mozilla/5.0+(windows+nt+10.0;+win64;+x64)+applewebkit/537.36+(khtml,+like+gecko)+chrome/86.0.424", "http://imap.brooklyngeneration.org/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/brazilian-porn/", "A Jefferson County, Co Police 'advocate' referred target to a group that 'couldn't' to provide services. Referred to The Bench. Unwilling to help", "Victim gets a 'social' engineering' call taking every bit of information about victim and case.", "She was cleared for treatment; then declined citing a brain injury. Most of 'BB' clients have a TBI", "Victim was then given numbers to workers compensation doctors who didn't speak English", "Law Firm drops her and asks her who she really is? Victim was assaulted for her phone and other", "Victim doesn't fault Police who didn't show intent. Detective did close case, assailant ID issues", "Was told by advocate that his description matches the male in vehicle following her for months.", "Be did wear a gator making it improbable for positive identification", "She was assaulted for phone 6 weeks after being intentional,y driven off highway", "Higher SCI sustained. Positive ID. Driver allowed to walk. Positive License Plate and description of driver with criminal intent.", "In the USA she is denied treatment for new injuries to spine causing deep decline. This is crazy.", "A series of strange female detectives enter. All corrupt fails. If victim was in prison fight she'd be treated w/guards outside of hospital room door." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 6, "domain": 782, "hostname": 530, "FileHash-SHA1": 382, "FileHash-SHA256": 1572, "URL": 847, "FileHash-MD5": 386, "SSLCertFingerprint": 12 }, "indicator_count": 4517, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "642 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f3bd6a8701371811709b", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters ", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-07-01T00:09:33.078000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "667f591470ecb21b4ad041a5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f591470ecb21b4ad041a5", "name": "Sakula RAT | Porn name change>>brassiere.world | Orbiters", "description": "brassiere.world a brazzersporn redirect. Malicious Sakula RAT. Orbiters including Brian Sabey, Mile High Media Legal 2257. If this is legal then it's time to make significant change.", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-29T00:45:08.323000", "tags": [ "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "threat roundup", "october", "december", "september", "round", "referrer", "november", "april", "historical ssl", "keeper", "core", "hacktool", "kiana arellano", "a person", "kiana", "harassment", "strikes", "colorado", "github", "heur", "info title", "record keeping", "media", "adult mobile", "scene", "brandi love", "alexis fawx", "girls", "carter cruise", "brandi loves", "reagan foxx", "kenzie reeves", "ryan keely", "privacy policy", "meow", "love", "summer", "click", "back", "accept", "tsara brashears", "youngcoders", "hallrender", "briansabey", "sweetheartvideos", "2257legalporn", "union blvd", "samiamnot", "utc submissions", "submitters", "enom", "moniker online", "wild west", "domains", "domainsite", "annulet", "google llc", "facebook", "twitter", "service", "nitro", "creation date", "status", "search", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "unknown", "default", "cnc beacon", "show", "delete", "ids detections", "yara detections", "suspicious ua", "intel", "ms windows", "copy", "sakula", "write", "february", "bublik", "malware", "suspicious", "pornhub", "#pornvibes", "ng", "united", "as44273 host", "expiration date", "showing", "as394695 pdr", "virgin islands", "cname", "as19905", "pulses", "nxdomain", "as8075", "servers", "domain", "name servers", "entries", "date hash", "avast avg", "as30148 sucuri", "aaaa", "gvt mitm", "van", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "jfif", "et tor", "starfield", "june", "hybrid", "general", "local", "encrypt", "strings", "adobea", "daga", "orbiting tsara brashears", "arvada", "projecthilo" ], "references": [ "brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "IDS Detections: Sakula/Mivast RAT CnC Beacon 1 SUSPICIOUS UA (iexplore) | Alert: cape_detected_threat", "hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com", "milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.sweetheartvideo.com/tsara-brashears/ | 66.254.114.234", "www.youtube.com/watch?v=GyuMozsVyYs [TB's YouTube]", "youngcoders.ng", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Sakula RAT: www.polarroute.com", "CVE-1999-0016 CVE-2019-12259 CVE-2019-12265 CVE-2001-0260 CVE-2005-0446 CVE-2005-0560 CVE-2005-1476", "CVE-2008-2257\tCVE-2008-2938\tCVE-2008-2939\tCVE-2008-3018\tCVE-2008-3021\tCVE-2009-1122", "CVE-2015-2808 CVE-2016-0101 CVE-2016-2569 CVE-2006-3869 CVE-2014-6345 CVE-2009-1535", "Sakula RAT: FileHash-SHA256 0932c2b991cc37bd0de1a90f9ffd43f1324944b59fdbaa0e03f3e94adb59c61f rat", "Sakula RAT: FileHash-SHA25627ddd99c31b3141f0e635ca8c3ded921bee4fddd93364f4280ee5 rat", "Sakula RAT: FileHash-SHA256 48fd389005934aa4ee77f2029f1addc2d918fa0916b64a43049c65ce83ebde765866dbc5f8d", "Sakula RAT: FileHash-SHA256 0f3775b95144206425cc95283f7ae481eab4cc5cbdd687c7bde3e5c7c9b5482a", "Banload: 556d622fae283aca465e24143c392e2ccf2b0d6a95cf28363ef5b84175729638", "Waledac: FileHash-SHA256 7a513daf66139269a18f5aeebc6790ac3179ff533d24f0fe18b2c4d6a1761787" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "display_name": "ALF:HeraklezEval:VirTool:Win32/Waledac!rfn", "target": null }, { "id": "TrojanDownloader:Win32/Banload", "display_name": "TrojanDownloader:Win32/Banload", "target": "/malware/TrojanDownloader:Win32/Banload" }, { "id": "Sakula", "display_name": "Sakula", "target": null }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 278, "FileHash-SHA1": 141, "FileHash-SHA256": 991, "domain": 1074, "hostname": 706, "URL": 859, "CVE": 19, "email": 5, "SSLCertFingerprint": 20 }, "indicator_count": 4093, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "671 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1bf9ae4cfe4669a779c", "name": "Agent Tesla", "description": "", "modified": "2023-12-06T16:30:55.036000", "created": "2023-12-06T16:30:55.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1b6abdfb076f2821940", "name": "FORMBOOK", "description": "", "modified": "2023-12-06T16:30:46.983000", "created": "2023-12-06T16:30:46.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1af4208c92832a9ae98", "name": "SKYNET", "description": "", "modified": "2023-12-06T16:30:39.892000", "created": "2023-12-06T16:30:39.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wsc1.jomax.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wsc1.jomax.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222992.0204165 }