{ "type": "URL", "indicator": "https://ww25.teamobie.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww25.teamobie.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3837965863, "indicator": "https://ww25.teamobie.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66ac1de146fa19aeb4bb119a", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "Ransomware, hacking, Linux attacks. 7notrump.com has been in circulation for more than 1 year. Malicious, pre-existing and not the result of hackers attempting to suddenly attack recently made vulnerable entities. Backdoor:Linux/Tsunami.C!MTB\nBackdoor:Linux/Tsunami.C!MTB , Ransom.Win32.Birele.gsg , Trojan:Win32/Neconyd.A , VirTool:Win32/CeeInject.SN!bit , \nC!MTB ,\nCheckin Win32/ExpressDownloader , \nET ,\nRansom.Win32.Birele.gsg , \nTrojan:Win32/Neconyd.A\nVirTool:Win32/CeeInject.SN!bit , Win.Worm.Mydoom-5 ,\nWin32.Birele.gsg", "modified": "2024-10-01T16:04:13.437000", "created": "2024-08-01T23:44:33.058000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "http://appleid.icloud.com-website33.org/", "CS Sigma Rules: Python Initiated Connection by frack113", "message.htm.com", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "http://pornhub.com/gay/video/search", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "https://www.pornhub.com/video/search?search=tsara+brashears", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "honey.exe", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "api.login.live.com", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Virtool:win32/ceeinject.sn!bit", "Backdoor:linux/tsunami.c!mtb ransom.win32.birele.gsg trojan:win32/neconyd.a virtool:win32/ceeinject.sn!bit", "Backdoor:linux/tsunami.c!mtb", "Checkin win32/expressdownloader", "Hacktool", "C!mtb", "W32.sality.pe", "Et", "Virtool", "Trojandropper:win32", "Ransom.win32.birele.gsg", "Trojan:win32/neconyd.a", "Tofsee", "Trojanspy", "Win32.birele.gsg", "Relic", "Win.worm.mydoom-5", "Virus.win32.virut.q" ], "industries": [ "Government", "Technology", "Media" ], "unique_indicators": 28141 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/teamobie.com", "whois": "http://whois.domaintools.com/teamobie.com", "domain": "teamobie.com", "hostname": "ww25.teamobie.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66ac1de146fa19aeb4bb119a", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "Ransomware, hacking, Linux attacks. 7notrump.com has been in circulation for more than 1 year. Malicious, pre-existing and not the result of hackers attempting to suddenly attack recently made vulnerable entities. Backdoor:Linux/Tsunami.C!MTB\nBackdoor:Linux/Tsunami.C!MTB , Ransom.Win32.Birele.gsg , Trojan:Win32/Neconyd.A , VirTool:Win32/CeeInject.SN!bit , \nC!MTB ,\nCheckin Win32/ExpressDownloader , \nET ,\nRansom.Win32.Birele.gsg , \nTrojan:Win32/Neconyd.A\nVirTool:Win32/CeeInject.SN!bit , Win.Worm.Mydoom-5 ,\nWin32.Birele.gsg", "modified": "2024-10-01T16:04:13.437000", "created": "2024-08-01T23:44:33.058000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 69, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d49947eaaf6c57bec78719", "name": "Ransom.Win32.Birele.gsg: affecting a global cyber security entity", "description": "", "modified": "2024-10-01T16:04:13.437000", "created": "2024-09-01T16:41:43.676000", "tags": [ "no expiration", "domain", "expiration", "hostname", "filehashsha256", "url http", "ipv4", "url https", "iocs", "email abuse", "next", "all scoreblue", "create new", "pulse provide", "public tlp", "green", "adversary tags", "x509v3", "trojan", "virtool", "backdoor", "antivirus", "united", "et trojan", "possible", "sinkhole cookie", "et", "checkin win32/expressdownloader", "kw1ethical", "kw2ip", "kw3cloud", "kw4augmented", "filehashsha1", "filehashmd5", "termsurlhttp", "privacyurlhttp", "download", "ipv6", "versionid1", "pulse use", "pdf report", "pcap", "stix", "contact", "contacted", "adversaries", "adload", "dns", "activity", "acint", "aaaa", "analysis", "all scoreblue", "agent algorithm", "alexa top", "agent", "analyzer", "alexa", "alerts", "threat", "c!mtb", "win32.birele.gsg", "add malware", "ck t1027", "files", "xrat xtrat", "yara", "ransomware", "virus", "phishing", "paste analyzer", "threat anonymizer", "level as4230", "as32421", "gigenet", "as32181", "ntt", "as2914", "as20940", "as133618", "asyncrat", "ascii text", "claro", "babe", "pornhub", "av detections", "avast avg", "avatier ccir", "crack", "copy", "contact phone", "conduit", "command decode", "cnc", "command", "code command", "cobalt strike", "dos", "cnwe1 validity", "click", "cleaner", "ck techniques", "ck matrix", "backdoor", "ck id", "cisco umbrella", "choke", "bq jul", "body", "blacklist http", "module behav", "bcrypt", "bank", "zeus derivative", "yara rule", "yara detections", "crowdstrike", "xtrat", "xrat", "x509v3 key", "write", "worm", "windows nt", "win64", "win32", "network w", "network", "virus", "virtool virus", "validity", "v3 serial", "cus", "ogoogle", "cus olet", "cyber threat", "upxoepplace url", "upx alerts", "unsafe", "unknown", "united", "union", "twitter", "ttl value", "tsunami", "trust", "trojanspy", "trojan", "trident", "data redacted", "hash", "deepscan", "detection list", "malware", "potential ip", "exploit", "facebook", "false", "possible postal code", "files location", "port", "porno", "pink", "phishing site", "phishing", "files matching", "files related", "filetour", "firehol", "first", "flag united", "full name", "fusioncor", "genkryptik", "get na", "girlfriend", "hackers", "heur", "high", "high priority", "hostile", "html", "http spammer", "hybrid identifier", "ids detections", "iframe", "resource phish", "injection", "pattern match", "pe", "patcher", "passive dns", "null number", "nuance china", "nsis245zlib", "notice nsis", "no data", "nircmd", "namecheap inc", "name tactics", "name servers", "indicator", "informative", "installcore", "installpack", "invalid url", "iocs ip", "iocs ip", "ip summary", "ipv4", "javascript", "key algorithm", "key identifier", "key info", "crowdstrike", "known tor", "local", "luna host", "malicious", "malicious host", "malicious site", "malware", "malware site", "memscan", "meta", "million", "misc attack", "mitre att", "module load", "msdos", "mtb" ], "references": [ "crowdstrike.com \u00bb 7notrump.com contains pornhub.com and pastebin.com", "192.184.12.62 - Verdict: Suspicious Location: Los Angeles, United States of America ASN AS32421 Level 3 Parent Llc", "7notrump.com@privacy.above.com | Why are YOU hiding? Aren't you proud of your hateful and damaging works?", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA256 94f82ebb09bc3ac922789af2ce272ecbf9fe303e5220c7ab3a31d6db1bea8ec4", "Backdoor:Linux/Tsunami.C!MTB: FileHash-MD5 c721d0c9d0daba37cc3e0d06331f7493", "Backdoor:Linux/Tsunami.C!MTB: FileHash-SHA1 8fceac50c534ddf1fc8d1c84b9f7fa06e41d891c", "Antivirus Detections: Win.Trojan.Tsunami-5 , Backdoor:Linux/Tsunami.C!MTB", "IDS Detections: Query to a .tk domain - Likely Hostile Yara Detections: is__elf , LinuxTsunami Alerts: suricata_alert", "VirTool:Win32/CeeInject.SN!bit: FileHash-MD5 d90dc74c1377355f3a58e3883fa8e38f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA1 a6df4e57a54c4f9ecc5ed0d0759c57d8702f270f", "VirTool:Win32/CeeInject.SN!bit: FileHash-SHA256 9ae6df6d6c273c3037b083d3b3a78ed8329802f3ca065ceef644f5b1f7311269", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Trojan.BlackMoon-7136668-0 , VirTool:Win32/CeeInject.SN!bit", "Hacktools_CN_WinEggDrop , CN_Portscan , Ping_Command_in_EXE More | Alerts: dead_host network_icmp persistence_autorun recon_beacon injection_resumethread creates_exe creates_service", "IDS Detections: ET TROJAN Win32/PurpleFox Related Domain in DNS Lookup Yara Detections: mimikatz , Mimikatz_Strings ,", "IDS Detections: Adware/Gertokr.C Variant Checkin MSIL/Linkury Toolbar Activity PUP.Win32.BoBrowser User-Agent (VersionDwl)", "IDS Detections: Rogue.Win32/FakeRean Checkin Win32/ExpressDownloader Variant CnC Beacon 1", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Ransom.Win32.Birele.gsg: FileHash-MD5 06c2c738f40c310fb9eb2b6c35afe18d", "Ransom.Win32.Birele.gsg: FileHash-SHA1 51995c8b1002cf27d22a2026a825f1f4fedca280 955549cbca6acdbd617aebade070259efaf6cec6", "Ransom.Win32.Birele.gsg: FileHash-SHA256 00e1b6c35691a64a327eb642c80321e7c54956de106a254688062cdda3d265a9", "T1027 - Obfuscated Files or Information T1031 - Modify Existing Service T1040 - Network Sniffing T1045 - Software Packing T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.004 - DNS T1105 - Ingress Tool Transfer T1114 - Email Collection T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1140 - Deobfuscate/Decode Files or Information T", "Antivirus Detections: Win32:Buterat-WQ\\ [Trj] , Win.Malware.Ulise-7170100-0 , Trojan:Win32/Neconyd.A", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "Alerts: network_icmp creates_user_folder_exe disables_proxy modifies_proxy_wpad creates_exe", "Alerts: antivm_network_adapters packer_polymorphic network_cnc_http network_http" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Brazil" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Checkin Win32/ExpressDownloader", "display_name": "Checkin Win32/ExpressDownloader", "target": null }, { "id": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "display_name": "Backdoor:Linux/Tsunami.C!MTB Ransom.Win32.Birele.gsg Trojan:Win32/Neconyd.A VirTool:Win32/CeeInject.SN!bit", "target": null }, { "id": "Win.Worm.Mydoom-5", "display_name": "Win.Worm.Mydoom-5", "target": null }, { "id": "Ransom.Win32.Birele.gsg", "display_name": "Ransom.Win32.Birele.gsg", "target": null }, { "id": "VirTool:Win32/CeeInject.SN!bit", "display_name": "VirTool:Win32/CeeInject.SN!bit", "target": "/malware/VirTool:Win32/CeeInject.SN!bit" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "Backdoor:Linux/Tsunami.C!MTB", "display_name": "Backdoor:Linux/Tsunami.C!MTB", "target": "/malware/Backdoor:Linux/Tsunami.C!MTB" }, { "id": "C!MTB", "display_name": "C!MTB", "target": null }, { "id": "Win32.Birele.gsg", "display_name": "Win32.Birele.gsg", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Media", "Technology", "Government" ], "TLP": "white", "cloned_from": "66ac1de146fa19aeb4bb119a", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2164, "FileHash-MD5": 2939, "FileHash-SHA1": 2271, "FileHash-SHA256": 3553, "domain": 1075, "email": 13, "hostname": 1064, "CVE": 8 }, "indicator_count": 13087, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww25.teamobie.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww25.teamobie.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776648659.730808 }