{ "type": "URL", "indicator": "https://ww1.utilbada.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww1.utilbada.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3785687184, "indicator": "https://ww1.utilbada.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-03-22T22:26:49.205000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "IPv4": 666, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 10181, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656096cac68edb7036a8b82e", "name": "router.debugger.ru", "description": "", "modified": "2023-12-24T12:00:28.598000", "created": "2023-11-24T12:27:54.959000", "tags": [ "passive dns", "urls", "date", "unknown", "united", "browse scan", "endpoints all", "search otx", "login", "sign up", "execution", "contacted", "whois record", "ssl certificate", "threat roundup", "historical ssl", "june", "april", "red team", "whois whois", "metro", "attack", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "null", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 446, "hostname": 953, "FileHash-MD5": 82, "FileHash-SHA1": 81, "FileHash-SHA256": 2120, "URL": 3040, "CVE": 1 }, "indicator_count": 6723, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aa32666b504ffdb74a02a", "name": "router.debugger.ru", "description": "", "modified": "2023-12-24T12:00:28.598000", "created": "2023-12-02T03:23:18.658000", "tags": [ "passive dns", "urls", "date", "unknown", "united", "browse scan", "endpoints all", "search otx", "login", "sign up", "execution", "contacted", "whois record", "ssl certificate", "threat roundup", "historical ssl", "june", "april", "red team", "whois whois", "metro", "attack", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "null", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "656096cac68edb7036a8b82e", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 446, "hostname": 953, "FileHash-MD5": 82, "FileHash-SHA1": 81, "FileHash-SHA256": 2120, "URL": 3040, "CVE": 1 }, "indicator_count": 6723, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "ww12.indianpornxxxtube.com", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "okg.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "dns17.hichina.com", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "pcy.and.googletagmanagers.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "findmy.apple-uk.live", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "http://mobilesmafia.com/applications/botnet.ex", "nr-data.net [Apple Private Data Collection]", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "bzx.and.googletagmanagers.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "lkp.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: peid_packer pe_unknown_resource_name", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "Found in: https://Side3.com/", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://dev.findatoyota.com/", "www.remoteaccess.allied-media.com", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://fonts.googleapis.com/css", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "pgj.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "pornhub.org", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:malware-gen", "Win.ransomware.wannacry-6313787-0", "Win64:expiro-aj\\ [inf]", "#virtool:win32/obfuscator", "#lowfi:suspicioussectionname", "Backdoor:win32/small.ir", "Win.trojan.agent-828507", "Citadel", "Virtool:win32/vbinject.ya!mtb", "Sf:wncryldr-a\\ [trj]", "Domains", "Ransomexx", "Win.malware.flystudio-6738927-0", "Sheur4.ceoo", "Win32/tanatos.a", "Win.trojan.application-1955.", "Win32:evo-gen\\ [trj]", "Spyeye", "Ransomware", "Webtoolbar", "Win32:dh-a\\ [win32:fileinfector-c\\ [heur]", "Trojanspy", "Win32:dh-a\\", "Cve-2017-0147", "Trojan/js.redirector.qno", "Win.trojan.vbgeneric-6989114-0", "Alf:spikeaexr.pevpopc", "Win32:inject-bcl\\ [trj]", "Hacktool", "Win.malware.snojan-6775202-0", "Ransom:win32/wannacrypt.h", "Inmortal", "Quasar rat", "Win32/cryptor", "Trojan:win32/remcosrat", "Exploit:win32/cve-2017-0147.a", "Win.trojan.mbrlock-9779766-0", "Milesmx", "Win32:banker-laa\\ [trj]", "Ransom:win32/cve-2017-0147.a", "W32.sality-73", "Generic_r.byw", "Win32:trojanx-gen\\ [trj]", "Win.trojan.fugrafa-9733007-0" ], "industries": [ "Entertainment", "Healthcare", "Technology", "Legal", "Telecommunications", "Government", "Media" ], "unique_indicators": 59863 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/utilbada.com", "whois": "http://whois.domaintools.com/utilbada.com", "domain": "utilbada.com", "hostname": "ww1.utilbada.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-03-22T22:26:49.205000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "IPv4": 666, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 10181, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656096cac68edb7036a8b82e", "name": "router.debugger.ru", "description": "", "modified": "2023-12-24T12:00:28.598000", "created": "2023-11-24T12:27:54.959000", "tags": [ "passive dns", "urls", "date", "unknown", "united", "browse scan", "endpoints all", "search otx", "login", "sign up", "execution", "contacted", "whois record", "ssl certificate", "threat roundup", "historical ssl", "june", "april", "red team", "whois whois", "metro", "attack", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "null", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 446, "hostname": 953, "FileHash-MD5": 82, "FileHash-SHA1": 81, "FileHash-SHA256": 2120, "URL": 3040, "CVE": 1 }, "indicator_count": 6723, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aa32666b504ffdb74a02a", "name": "router.debugger.ru", "description": "", "modified": "2023-12-24T12:00:28.598000", "created": "2023-12-02T03:23:18.658000", "tags": [ "passive dns", "urls", "date", "unknown", "united", "browse scan", "endpoints all", "search otx", "login", "sign up", "execution", "contacted", "whois record", "ssl certificate", "threat roundup", "historical ssl", "june", "april", "red team", "whois whois", "metro", "attack", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "script", "beginstring", "null", "error", "refresh", "span", "class", "generator", "critical", "tools", "body", "look", "verify", "restart", "meta", "hybrid", "general", "local", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "656096cac68edb7036a8b82e", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 446, "hostname": 953, "FileHash-MD5": 82, "FileHash-SHA1": 81, "FileHash-SHA256": 2120, "URL": 3040, "CVE": 1 }, "indicator_count": 6723, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww1.utilbada.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww1.utilbada.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639510.3184729 }