{ "type": "URL", "indicator": "https://ww12.tter.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww12.tter.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3765715494, "indicator": "https://ww12.tter.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7fc464f9f56ac33a389", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:32.030000", "created": "2023-12-06T16:57:32.030000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7e7daf278491d9f9eb4", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:11.228000", "created": "2023-12-06T16:57:11.228000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f205bac4b92f025125962", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:17:47.051000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323d24f9946946c804be4", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580ba704bae549b90948b5", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-11-18T00:56:07.651000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653f1ffb074d89724cb81371", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f200c20e12f03f749c403", "name": "114.114.114.114 Tracking | Botnet | Malvertizing", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:16:28.252000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "6533b20cf4ad384a0193c655", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1ffb074d89724cb81371", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:16:11.181000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323de61317f6ca7a3e875", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6533b20cf4ad384a0193c655", "name": "114.114.114.114 Tracking | Botnet | Malvertizing ", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T11:12:12.005000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323d24f9946946c804be4", "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653323de61317f6ca7a3e875", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "Sounds crazy made up. This is an expensive campaign. Talented, lost individuals.\nI'm naming this campaign.\n'Canto XXVI' Bolgia 8 \u2013 Counsellors of Fraud\nThat's where they'll return.", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T01:05:34.166000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653323d24f9946946c804be4", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "Sounds crazy made up. This is an expensive campaign. Talented, lost individuals.\nI'm naming this campaign.\n'Canto XXVI' Bolgia 8 \u2013 Counsellors of Fraud\nThat's where they'll return.", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T01:05:22.903000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65331eeded285a25c31d63a4", "name": "Tracking and Botnet campaign", "description": "US attackers making an exit by dumping to my devices & spreading to various other unsuspecting?\nRevenge for researching? Dumping to make it hard to implicate a single source. \nDump of Tsara Brashears and other adult content , malvertizing by a cyber stalker campaigners. As reported previously, entered my device and took control. Evidence pulled from a device while attack in progress. Device read Michigan, shopping, advertising, news, etc. Location not associated with any failed privacy controls on devices listing other locations.\nI listed a few IOC's Dumped to device in references. \nDump was continuous. Device modification for storage, new systems interface created upon device update. Moderete byte load per minute. Example 227 KB per minute. Prism command line tool\nChina foolish enough to implicate themselves for unclear crimes against American citizens? If an alleged crime against a target was allegedly committed in US someone is silencing her big time. There are a few other names as well. Targets?", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-21T00:44:29.344000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cc4de6aa3848c3722e9a6", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "Serious concerns. Approached, threatened & told no cyber tool or literature would help me by a stranger in public place seconds after a male demanded to know if I had a SQL book or knowledge, asked for phone #, a date , to buy only 2 books and come with him? WHAT? He really wanted my number not me. he got so close to, I thought he had a wearable hacktool device. Ongoing. I realized dumping when I typed, the letter T only for another search term, results = Tsara Brashears dead? Clean search browser history. No Auto DL file titled: government Qbot Qakbot?! I couldn't open it. Last night I got a free unauthorized penetration test, apps, awful attack. Adult content dumping from listed in references. . I don't attack is China based despite server locations.. It's too easy to appear to be attacking from another country. Can't make it up. Ongoing long. Major disruption. Issue predates research.", "modified": "2023-11-15T01:03:46.666000", "created": "2023-10-16T05:06:38.412000", "tags": [ "whois record", "tsara brashears", "contacted", "threat roundup", "whois whois", "remcos", "iocs", "cyberstalking", "cry kill", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "malware", "awful", "open", "korplug", "execution", "pe resource", "referrer", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "quasar", "ursnif", "name verdict", "falcon sandbox", "sha256", "size", "sha1", "show process", "runtime process", "unicode", "crlf line", "ascii text", "mitre att", "type data", "hybrid", "general", "local", "path", "click", "strings", "nanjing xinfeng", "xiongmao group", "road descr", "district", "nanjing", "jiangsu", "china country", "apnic irt", "beijing", "china email", "copy md5", "copy sha1", "copy sha256", "AMERICA", "threat", "cyber criminal", "teams", "bounce", "Please Stop \u2205", "eminent threat", "Apple", "Android", "adversarial", "injection", "Tulach.cc malware", "scanning_host", "exploit_source", "ransomware" ], "references": [ "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "114.114.114.114", "http://login.live.com/oauth20_remoteconnect.srf", "a-poster.info", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "[Unnamed Teams Hacking Group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Wanna Cry Kill Switch", "display_name": "Wanna Cry Kill Switch", "target": null }, { "id": "RansomEXX (Windows)", "display_name": "RansomEXX (Windows)", "target": null }, { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "FileHash-SHA256": 1478, "domain": 290, "hostname": 1047, "FilePath": 2, "Mutex": 1, "CVE": 2, "CIDR": 1, "email": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652044fb2f28d46e91d29160", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:33:47.403000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1df9a7da086561b9897f", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-30T03:07:37.963000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": "65204565ac1e8bce4de26df3", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65204565ac1e8bce4de26df3", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "Packed. Miscellaneous Attacks. Hidden Users \nTarget: tsara brashears", "modified": "2023-11-05T14:05:48.545000", "created": "2023-10-06T17:35:33.618000", "tags": [ "ssl certificate", "whois whois", "iocs", "milum botnet", "army", "isp stuff", "whois record", "travel stuff", "misp", "threat roundup", "july", "apple", "password", "apple ios", "whois", "emotet", "powershell", "hacktool", "crypto", "pornhub", "tulach", "tsara", "camera", "connect", "tsara brashears", "brashears", "scanning_host", "trojan", "phishing", "afro", "june", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "http traffic", "suricata alerts", "event category", "description sid", "websma", "webabo", "cisco umbrella", "site", "safe site", "alexa top", "million", "malware", "alexa", "heur", "malicious site", "malicious url", "unsafe", "agent", "phishing", "riskware", "bank", "iframe", "downldr", "presenoker", "artemis", "genkryptik", "fuery", "wacatac", "azorult", "service", "runescape", "facebook", "download", "union", "team", "opencandy", "exploit", "mimikatz", "blacklist https", "a1mara" ], "references": [ "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "Research and Data Analysis", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8" ], "public": 1, "adversary": "Tulach", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.003", "name": "Clear Command History", "display_name": "T1070.003 - Clear Command History" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56, "FileHash-SHA256": 1943, "domain": 3202, "hostname": 3487, "CVE": 5 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "video-lal.com/videos/sandra-richter-video.html", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "CVE-2022-26134", "www.sweetheartvideo.com", "ww12.indianpornxxxtube.com", "http://login.live.com/oauth20_remoteconnect.srf", "1.62.64.108 malware_hosting", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "https://twitter.com/ catapult spider/spider", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "vmwarevmc.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://opensource.apple.com/source/security_certificates/", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "wallpapers-nature.com", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "https://www.sweetheartvideo.com/tsara-brashears/", "http://mobilesmafia.com/applications/botnet.ex", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "20.99.186.246 exploit_source", "nr-data.net [Apple Private Data Collection]", "a-poster.info", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]", "https://qvdcz.farmersdaughtersvirginia.com/sharecamera-search/19857150", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "nr-data.net Private Apple data collection", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "Refuses to remove target from adult content \"tagging\"", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "114.114.114.114", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "www.sweetheartvideo.com Tracking and Botnet campaign", "114.114.1114.114", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "adsl-074-168-130-217.sip.pns.bellsouth.net", "newrelic.se New Update Apple iPhone 199.59.243.222", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "https://crt.sh/?q=videolal.com", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:", "Research and Data Analysis", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "itunes.apple.com. [https:///app/apple-store", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://www.hallrender.com/attorney/brian-sabey", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "0-w5-cms.ultimate-guitar.com", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "a-poster.info [tagging tool]", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "pornhub.org", "http://karnalketo.com/sound-found error code 432 server nginx", "https://crt.sh/?graph=410492573&opt=nometadata", "brain-portal.net", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "tv.apple.com Apple hacking", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "http://www.hallrender.com/attorney/brian-sabey |", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "Crazy: video-lal.com/videos/michael-roberts.html", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Found in: https://Side3.com/", "199.249.230.74 traffic group 78", "https://tulach.cc/ phishing | Proxy | Skynet", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "https://www.hybrid-analysis.com/sample/9b6b166a36b69e296ba3516cfe2d1feb7945289b1583f71329f34d9a649c94d8", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "64.190.63.136 Malicious. IP: Sedo GmbH", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://gpt.ocloo.cn/auth", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "110.249.196.101. malware_hosting", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "www.anyxxxtube.net prism.exe", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]", "[Unnamed US Teams and Hacker group]", "Tulach", "Out For Blood", "NSO GROUP", "[Unnamed Teams Hacking Group]" ], "malware_families": [ "Formbook", "Win32:inject-bcl\\ [trj]", "Virus:wm/look", "Generic", "Qakbot - s0650", "Win32/tanatos.a", "Generic_r.byw", "Cobalt strike", "Ransomware", "Ransomexx", "Ketogenic switch", "Daxin", "Hallrender", "Dark power", "Win.malware.farfli-6824119-0", "Sheur4.ceoo", "Chaos", "Remcos", "Nanocore rat", "Win32:evo-gen\\ [trj]", "Artro", "Skynet", "Azorult - s0344", "Amadey", "Emotet", "Bitcoinaussie", "Hacktool", "Njrat - s0385", "Wanna cry kill switch", "Trojan:win32/remcosrat", "Pegasus", "Korplug", "#lowfi:suspicioussectionname", "Sabey", "Win32/cryptor", "W32.sality-73", "Win.trojan.agent-828507", "Possible", "Ransomexx (windows)", "Ursnif - s0386", "Win32:trojanx-gen[trj]", "Tulach", "Colibri loader", "Nokoyawa", "Blacknet rat", "Virus:dos/nanjing", "Colbalt strike", "Quasar rat", "Win.trojan.mbrlock-9779766-0" ], "industries": [ "Media", "Telecommunications", "Entertainment", "Healthcare", "Civil society", "Technology", "Private sector" ], "unique_indicators": 94190 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tter.com", "whois": "http://whois.domaintools.com/tter.com", "domain": "tter.com", "hostname": "ww12.tter.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "65f27f90cb56df78929c01d4", "name": "CO.gov/PEAK - Post Mail Social Engineering | M Brian Sabey and CBI", "description": "", "modified": "2024-09-24T14:02:17.711000", "created": "2024-03-14T04:39:44.522000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": "65f2691bb1405f9a30cf46b6", "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6664, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2523, "domain": 1792, "hostname": 1889, "CVE": 2, "CIDR": 19, "email": 22 }, "indicator_count": 13082, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f2691bb1405f9a30cf46b6", "name": "CO.gov/PEAK - Postal Engineering | M Brian Sabey and CBI (mail)", "description": "Target received urgent postal mail ,directed to login: \nCO.gov/PEAK | Disappointed so many reports have been modified. Logins OTX account are governmental.with insecure headers.\nHistoryKillerPro , RedHatDelete glintsintern.com oauth2-proxy.glintsintern.com \u2022 https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ oauth2-proxy.glintsintern.com have attached to several OTX users.", "modified": "2024-04-12T14:01:31.094000", "created": "2024-03-14T03:03:55.928000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "suricata udpv4", "programfiles", "ck id", "show technique", "ck matrix", "windir", "date", "win64", "hybrid", "general", "model", "comspec", "click", "strings", "contact", "hostnames", "urls http", "samples", "ssl certificate", "whois record", "historical ssl", "resolutions", "referrer", "siblings", "contacted", "pe resource", "communicating", "subdomains", "whois whois", "copy", "ursnif", "qakbot", "lumma stealer", "ransomexx", "quasar", "ramnit", "lskeyc", "maxage31536000", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "headers", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "alexa top", "million", "team top", "site top", "site safe", "heur", "ccleaner", "adware", "downldr", "union", "bank", "cve201711882", "xrat", "phishing", "team", "alexa", "static engine", "passive dns", "unknown", "title error", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "urls", "thu jul", "fri dec", "hybridanalysis", "generic malware", "malware", "wed dec", "free automated", "service", "thu dec", "cidr", "sun aug", "ip sun", "country code", "system as", "as16509", "mon sep", "registrant name", "amazon", "terry ave", "code", "as36081 state", "pulse pulses", "files", "reverse dns", "asnone united", "moved", "body", "certificate", "g2 tls", "rsa sha256", "search", "showing", "online sun", "online sat", "online", "12345", "as44273 host", "status", "for privacy", "redacted for", "cname", "domain", "nxdomain", "ip related", "creation date", "servers", "name servers", "next", "cloudfront x", "sfo5 c1", "a domains", "nice botet", "srellik", "sreredrem", "hit", "men", "man", "women", "spider", "mail spammer", "gov" ], "references": [ "CO.gov/PEAK -Postal mail Spam. Urgent demand to login.", "https://hybrid-analysis.com/sample/23e867fef441df664d0122961782722157df2bfb0d468c8804ffc850c0b6c875", "Redirection chain: http://co.gov/peak | https://co.gov/peak | http://colorado.gov/peak | https://colorado.gov/peak | https://www.colorado.gov/peak", "Redirection chain: https://coloradopeak.secure.force.com/ https://colorado.gov:443/peak | coloradopeak.secure.force.com | dns01.salesforce.com", "Redirection chain: dns1.p06.nsone.net l ns1-204.azure-dns.com | ns1.google.com | ns1.msedge.net | peak.my.salesforce-sites.com |", "Redirection chain: www.colorado.gov | salesforce-sites.com | peak.my.si (Malformed domain) www.bing.com", "AS36081 State of Colorado General Government Computer: 165.127.10.10 | Location - LakeWood - CO - United States | Emails: isoc@state.co.us", "AS Name: AS36081 State of Colorado General Government Computer AS Country Code: US AS Registry: arin AS : AS CIDR: 165.127.0.0/16", "Registrant: State of Colorado General Government Computer Address: 690 Kipling St. Postal Code: 80215 Country Code: USA City: LakeWood State: CO", "http://bundled.toolbar.google http://bundled.toolbar.google/http://toolbar.google. https://bundled.toolbar.google. https://bundled.toolbar.google/", "Remotely accessing to targets devices: http://maps.co.gov/ | Maps & Calendar pop ups obfuscate targets screens. Pinging", "http://6.no.me.malware.com | http://6.no.me.malware.com/download", "Sexual Content Titles: http://analyticschecker.com/survey/sexynews24.js | http://sex.utub.com/ | http://wap.18.orgsex.utub.com/", "https://ak.deephicy.net/?z=6118780&syncedCookie=true&rhd=false&rb=4Qar0ipdalmNR5Sicj8o7oK9WuZVXLChC0EcEUDBDY4n5ISECZrApfC-gjpDjsMLofKZlJaeh_gobm2lTLNRbwBynCFo6CRsgTd-gbOZKn6hkTMO15e_qN9jmE8T9QytmggiZaSD7Ys_RCMg-fY8kjd5ELPE8MLrz-t9Dm7bxqLgQ8U1SWuTcrT09Npw1M6dvd7WA_91bWtr2m-EiV0umKwr5ZDSUqAYTPVfrEmvFKmZ32EfwaKGnKgKEGYaQGvQe1ga-4TccFs5A6Kh-HLSeXuKYMPVlODFrOgLcCUQi81bKgkG7ceuo8sG_5o6_ilHG6krYsCSk8Qwzdpn5AnwWweNPG9uC3hYGroh8tnINyQkdEnWp7O38iOgkAxqQoYhttqKqq7Cf6P8l9y-w4NtLBEm6c_ASSKggtwrI11Jvee9YxytSZBVlA==&sfr=n", "Co.gov: Autonomous System: AS16509 - Amazon.com, Inc. AS Country Code: US AS AS CIDR: 13.225.192.0/21 CIDR: 13.200.0.0/13 13.224.0.0/12 13.208.0.0/12", "Registrant Information: Amazon Technologies Inc. Address: 410 Terry Ave N. Postal Code: H3A 2A6 Country Code: CA (Canada) City: Montreal State: WA", "AS Registry: arin:aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "Emails: aws-routing-poc@amazon.com amzn-noc-contact@amazon.com abuse@amazonaws.com aws-dogfish-routing-poc@amazon.com", "AIG: Malicious CMS prefix -cmsportal.app.hurdman.org (key identifier/decoder)", "Targeted espionage: cms.wavebrowser.co | https://cms.wavebrowser.co/ | http://t4tonly.com/cms/web-services/get-all-city.php", "0-w5-cms.ultimate-guitar.com", "Redirect Chain: https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/ K9p1aHVpkkzIn1S7Dakqexnw4nP6ZmG7kNifaOtuay4%3Ahttp%3A%2F%2Fjaegertracing.match-growth.alicloud-production.glintsintern.com%2F https://oauth2-proxy.glintsintern.com/oauth2/start?rd=http://jaegertracing.match-growth.alicloud-production.glintsintern.com/", "Redirect Chain: https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force&client_id=795490584532-smtoie0juhaj5tq9h07si1ekd4m6pvlr.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Foauth2-proxy.glintsintern.com%2Foauth2%2Fcallback&response_type=code&scope=openid+email+profile&state=", "If you knew how you're wasting time and resources hacking a front facing archive with a 443:" ], "public": 1, "adversary": "Out For Blood", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [ "Private Sector", "Healthcare", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6466, "FileHash-MD5": 89, "FileHash-SHA1": 82, "FileHash-SHA256": 2406, "domain": 1686, "hostname": 1760, "CVE": 2, "CIDR": 4, "email": 7 }, "indicator_count": 12502, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "737 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7fc464f9f56ac33a389", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:32.030000", "created": "2023-12-06T16:57:32.030000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a7e7daf278491d9f9eb4", "name": "Hidden Users |Injection| Milum Botnet | Tulach Malware | Emotet", "description": "", "modified": "2023-12-06T16:57:11.228000", "created": "2023-12-06T16:57:11.228000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3487, "domain": 3202, "CVE": 5, "FileHash-SHA256": 1943, "URL": 14072, "FileHash-MD5": 70, "FileHash-SHA1": 56 }, "indicator_count": 22835, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f205bac4b92f025125962", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-10-30T03:17:47.051000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653323d24f9946946c804be4", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580ba704bae549b90948b5", "name": "Tracker and Botnet campaign - Canto XXVI", "description": "", "modified": "2023-11-19T00:04:57.528000", "created": "2023-11-18T00:56:07.651000", "tags": [ "contacted", "tsara brashears", "whois record", "whois whois", "threat roundup", "december", "execution", "referrer", "pe resource", "remcos", "malware", "quasar", "nanocore", "attack", "core", "qakbot", "azorult", "njrat", "colibri loader", "metro", "nokoyawa", "formbook", "bank", "installer", "daxin", "awful", "open", "korplug", "dark power", "cobalt strike", "hacktool", "emotet", "chaos", "ransomexx", "ursnif", "ransomware", "pattern match", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "beginstring", "script", "segoe ui", "null", "error", "unknown", "span", "date", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "hybrid", "general", "click", "strings", "meta", "xiongmao group", "district", "nanjing", "china country", "beijing", "please", "apnic person", "road", "china phone", "whois lookup", "cnnic", "dns replication", "domain", "win32 exe", "files", "detections type", "name", "notepad", "java", "update checker", "type name", "android", "win32 dll", "cyber criminals", "cyber stalking", "cyber warfare", "framing", "tulach.cc", "exploit_source", "scanning_host", "phishing", "adware", "command_and_control", "C2", "technology", "virustotal xn", "technology xn", "rich text", "format po", "jyoti cnc", "detection list", "blacklist", "noname057", "proxy", "prism.exe", "password cracker", "skynet", "malvertizing", "spyware", "colorado", "arizona", "prism command line tool", "keyloggers", "apple", "I'm being followed", "threats", "sha256", "osint", "vmware", "gpt", "nginx", "piracy", "intellectual property", "spammer", "honeypot", "tracker", "tracking campaign", "Botnet campaign" ], "references": [ "114.114.1114.114", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \tketogenic switch , BitcoinAussie", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io BitcoinAussie", "www.sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/Tracker and Botnet campaign", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian password cracker", "a-poster.info [tagging tool]", "https://tulach.cc/ phishing | Proxy | Skynet", "67.227.226.240 command_and_control. [lb01.parklogic.com] Lansing Michigan", "20.99.186.246 exploit_source", "https://www.hybrid-analysis.com/sample/06558031f63aca4f043b4770ae780337408b276df3b1e3e05b3d536839c3ad9e/652c962002e18b99e20e891a", "1.62.64.108 malware_hosting", "110.249.196.101. malware_hosting", "CVE-2022-26134", "www.anyxxxtube.net prism.exe", "https://www.pornhub.com prism.exe [Massachusetts, US]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 [Colorado, US referenced malvertizing outfit]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 [Colorado, US references]", "https://twitter.com/PORNO_SEXYBABES - Nokoyawa catapult spider", "https://twitter.com/ catapult spider/spider", "nr-data.net Private Apple data collection", "tv.apple.com Apple hacking", "newrelic.se New Update Apple iPhone 199.59.243.222", "0.0.0.0 iplocal=comcast [iplocalpple.com, possibly misconfigured] exploit", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 exploit [You can pair older Samsung watches with an iPhone by downloading the Samsung Galaxy Watch (Gear S) app from the iOS App. Abused remotely?]", "itunes.apple.com. [https:///app/apple-store", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [HappyRabbit]", "a0bc39001c6efcf39dbc6b7684232cce5126dcf0364c37e902714898ec097e94 [apple to windows China ??]", "https://otx.alienvault.com/indicator/url/https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 ? A target on my devices?", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017 Another target?", "https://lelosexgame.com/datingsm?ad_campaign_id=3161239&cost=0&creative_id=2032565&external_id=0&keyword=%25KW%25&ref=https://example.com&ref_domain=example.com&server_node=0&source=0", "199.249.230.74 traffic group 78", "https://gpt.ocloo.cn/auth", "vmwarevmc.com", "http://karnalketo.com/sound-found error code 432 server nginx", "http://ww1.karnalketo.com/astroshift-soundtrack-cheat-code-incl-product-key-download-3264bit-latest/ error code 432 server nginx", "64.190.63.136 Malicious. IP: Sedo GmbH", "www.sweetheartvideo.com Tracking and Botnet campaign" ], "public": 1, "adversary": "[Unnamed US Teams and Hacker group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Azorult - S0344", "display_name": "Azorult - S0344", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "Colbalt Strike", "display_name": "Colbalt Strike", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Colibri Loader", "display_name": "Colibri Loader", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Nokoyawa", "display_name": "Nokoyawa", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "njRAT - S0385", "display_name": "njRAT - S0385", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Ursnif - S0386", "display_name": "Ursnif - S0386", "target": null }, { "id": "Virus:DOS/Nanjing", "display_name": "Virus:DOS/Nanjing", "target": "/malware/Virus:DOS/Nanjing" }, { "id": "Daxin", "display_name": "Daxin", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Virus:WM/Look", "display_name": "Virus:WM/Look", "target": "/malware/Virus:WM/Look" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ketogenic switch", "display_name": "ketogenic switch", "target": null }, { "id": "BitcoinAussie", "display_name": "BitcoinAussie", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" } ], "industries": [], "TLP": "green", "cloned_from": "653f1ffb074d89724cb81371", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 173, "FileHash-SHA1": 166, "FileHash-SHA256": 2841, "URL": 6670, "CVE": 4, "domain": 684, "hostname": 1930, "CIDR": 2, "email": 3 }, "indicator_count": 12473, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww12.tter.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww12.tter.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641739.3631287 }