{ "type": "URL", "indicator": "https://www.18dy44.xyz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.18dy44.xyz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3833622624, "indicator": "https://www.18dy44.xyz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "cellebrite.com | enterprise.cellebrite.com", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "CS IDS rule: (port_scan) TCP filtered portsweep", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "http://mouthgrave.net/index.php", "deviceinbox.com", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "https://side3.com/", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "https://www.sweetheartvideo.com/tsara-brashears/", "webdisk.thehomemakers.nl [spyware | tracking]", "www.anyxxxtube.net [malicious data collection]", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "andrewka6.pythonanywhere.com [python connection - apple]", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "Found in: https://Side3.com/", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "c1a99e3bde9bad27e463c32b96311312.virus", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "pornhub.org", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "https://www.side3.com", "sonymobilemail.com", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "nr-data.net [Apple Private Data Collection]", "s3.amazonaws.com [targeting data collection]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://fillmark.net/index.php [phishing]", "Intellectual property accessed and distributed", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "ww12.indianpornxxxtube.com", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "tv.apple.com", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "www.icloud.com [wp-login.php]", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "api.utah.edu [access apple]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://mobilesmafia.com/applications/botnet.ex", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "ransomed.vc", "pegahpouraseflaw.info" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group - Pegasus" ], "malware_families": [ "Cyber criminal", "Formbook", "#lowfi:suspicioussectionname", "Worm:win32/mydoom", "W32.sality-73", "Win.trojan.mbrlock-9779766-0", "Win32:inject-bcl\\ [trj]", "Win32/tanatos.a", "Hacktool", "Sality", "Trojan:win32/remcosrat", "Njrat", "Ransomware", "Sheur4.ceoo", "Goldfinder", "Tulach", "Generic_r.byw", "Quasar rat", "Ransomexx", "Sibot", "Win.trojan.agent-828507", "Maui ransomware", "Goldmax", "Win32:evo-gen\\ [trj]", "Trojan:win32/wannacry.350", "Win32/cryptor" ], "industries": [ "Media", "Entertainment", "Recording industry", "Civil society", "Technology", "Entertainers", "Telecommunications" ], "unique_indicators": 54991 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/18dy44.xyz", "whois": "http://whois.domaintools.com/18dy44.xyz", "domain": "18dy44.xyz", "hostname": "www.18dy44.xyz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "65c607c354336e9c19aa3e1f", "name": "RansomEXX + Cyber attack \u2022 Premier Denver Recording Studio", "description": "Studio description: Adelio developed and managed A-list producer DJ Frank E, who has worked with the likes of Kanye West, B.O.B., Madonna, and Justin Bieber...\nResearch confirms target releases songs recorded @ Side3 studios.\nCreative differences aren't uncommon, research shows a common kink with m. Brian sabey if hallrender hacking everything from hospital is to insurance portals. He's nuts. Unclear if true nameof attacker is Brian Sabey /Tulach / using NSO grouo and various cyver attacks. A man representing an attorney named M. Brian Sabey socially engineered himself and others into targets world. If studio interns or management had malice towards target, social engineering access would be easy.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:08:51.939000", "tags": [ "url http", "united", "unknown", "search", "status", "creation date", "date", "expiration date", "showing", "as201682 liquid", "as32244 liquid", "trojan", "passive dns", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "open", "win32", "body", "date hash", "avast avg", "lowfi", "ssl certificate", "contacted", "whois whois", "sdhyzbh7v http", "whois record", "execution", "apple ios", "historical ssl", "resolutions", "sdhyzbh7v", "attack", "ransomexx", "quasar", "asyncrat", "hacktool", "maze", "find", "hell", "crypto", "remcosrat", "worm", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "porkbun llc", "ovh sas", "summary iocs", "graph community", "as63949 linode", "for privacy", "asnone united", "as174 cogent", "as197695 domain", "russia unknown", "as16276", "france unknown", "encrypt", "next", "tsara brashears", "targeting", "cyber threat", "abuse", "malware spreading", "hallgrand", "tulach", "sabey data centers", "sav.com", "outbreak", "location united", "asn as63949", "whois registrar", "related tags", "interfacing", "malicious", "retaliation", "botnet", "porn", "teen porn", "illegal activities", "theft", "side3studios" ], "references": [ "http://mobilesmafia.com/applications/botnet.ex", "Found in: https://Side3.com/", "CnC IP's: 198.58.118.167 \u2022 45.33.18.44 \u2022 45.33.2.79 \u2022 45.33.20.235 \u2022 45.33.23.183 \u2022 45.33.30.197 \u2022 45.79.19.196 \u2022 45.33.30.197 \u2022 45.56.79.23 \u2022 72.14.178.174 \u2022 72.14.185.43 \u2022 96.126.123.244", "https://otx.alienvault.com/indicator/domain/findmy-apple.support", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing \u2022 malvertizing \u2022 apple data collection]", "nr-data.net [Apple Private Data Collection]", "WHOIS Registrar: SAV.COM, LLC - 35, Creation Date: Feb 5, 2024 - again?", "/addons/error.txt&reffer=http://www.mp3olimp.net/\" target=\"_blank\" class=\"nowrap ellipsis\">http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03", "http://c1.getapplicationmy.info/?step_id=1&installer_id=5230748627062792346&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=2&download_id=8693199875993334460&external_id=0&session_id=16805482311189156276&hardware_id=369127768221549700&product_name=cocina.rar&installer_file_name=cocina.rar&product_file_name=cocina.rar&product_download_url=http://fra-7m17-stor09.uploaded.net/dl/a2433760-879d-4562-b94d-461547fc758c&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.getapplicationmy.info/?step_id=1&installer_id=3243239242933260735&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=1595002368180071203&external_id=0&session_id=16667576891246135775&hardware_id=8615325681080375910&product_name=vintage+boxing+bell+03&=&=&=&=&filesize=113.03mb&product_title=vintage+boxing+bell+03&installer_file_name=vintage+boxing+bell+03&product_file_name=vintage+boxing&AddToPayload=StepReport=", "http://c1.downlloaddatamy.info/?step_id=1&installer_id=4472257684899349270&publisher_id=2213&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=2&download_id=5397224780012170065&external_id=0&installer_type=IX_2013&hardware_id=15739043569615579517&session_id=6869288066589810689&installer_type=IX_2013&=&=&=&q=solutionnice.info&product_name=Design%20and%20Implementation%20of%20a%20Home%20Embedded%20Surveillance%20System%20with%20Ultra%20Low%20Alert%20Power%20doc&installer_file_", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2096894809025524155&publisher_id=1273&source_id=0&page_id=0&affiliate_id=0&country_code=RU&locale=EN&browser_id=1&download_id=6356079339412925470&external_id=0&session_id=14287130792570298399&hardware_id=11580995441620935677&product_name=rachel%20blaine%20-%20don%20t%20you%20want%20me&product_file_name=error.txt&AddToPayload=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "http://c2.getapplicationmy.info/?step_id=1&installer_id=2488504921480818878&publisher_id=1160&source_id=0&page_id=0&affiliate_id=0&country_code=ES&locale=EN&browser_id=4&download_id=2186029835193520054&external_id=0&session_id=16256931977914952487&hardware_id=14366935065466949181&product_name=Libro%23003119.pdf&installer_file_name=Libro%23003119.pdf&product_file_name=Libro%23003119.pdf&product_download_url=http://fra-7m21-stor06.uploaded.net/dl/780b5695-d022-4fab-9aa0-b967ecaf5828&AddToPayload=StepReport=", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://sexpornimages.com.leechlink.net [Match: www.sexpornimages.com/lynn/lynn-brashears-tsara-porn/rc1j0g.html]", "pornhub.org", "ww12.indianpornxxxtube.com", "youporndownload.com [park logic -malicious] http://golddesisex.com/en/search/teen%20anal%20long%20porn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Inject-BCL\\ [Trj]", "display_name": "Win32:Inject-BCL\\ [Trj]", "target": null }, { "id": "#Lowfi:SuspiciousSectionName", "display_name": "#Lowfi:SuspiciousSectionName", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Mbrlock-9779766-0", "display_name": "Win.Trojan.Mbrlock-9779766-0", "target": null }, { "id": "Win.Trojan.Agent-828507", "display_name": "Win.Trojan.Agent-828507", "target": null }, { "id": "SHeur4.CEOO", "display_name": "SHeur4.CEOO", "target": null }, { "id": "Win32/Cryptor", "display_name": "Win32/Cryptor", "target": null }, { "id": "Win32/Tanatos.A", "display_name": "Win32/Tanatos.A", "target": null }, { "id": "W32.Sality-73", "display_name": "W32.Sality-73", "target": null }, { "id": "Generic_r.BYW", "display_name": "Generic_r.BYW", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Trojan:Win32/RemcosRAT", "display_name": "Trojan:Win32/RemcosRAT", "target": "/malware/Trojan:Win32/RemcosRAT" }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71387, "domain": 8768, "hostname": 17727, "email": 16, "FileHash-MD5": 195, "FileHash-SHA1": 168, "FileHash-SHA256": 15313, "CVE": 9, "CIDR": 7 }, "indicator_count": 113590, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a099f6a2c8fc2bb85d4b", "name": "Cyber espionage & ransomware attacks Denver Recording Studio", "description": "GoldMax is used by UNC2452 as a command-and-control backdoor. It is written in the Go programming language. To hide its activities, it generates dummy traffic.\n\nSibot is a VBScript-based malware that allows attackers to download and run payloads from a remote command-and-control server. It uses file names that are similar to those used in Windows for masquerading. The VBScript is executed through a scheduled task.\n\nGoldFinder is another Go malware used by attackers to access a hardcoded command-and-control (C2) server by logging the route or hops that a packet takes like an HTTP tracer tool.", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:36:25.114000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c4a1c74cf5f1af5be6464e", "name": " authsmtp.sabeydatacenters.com | tulach gained access to Side3 Studios Denver\t\t", "description": "", "modified": "2024-03-09T09:02:09.950000", "created": "2024-02-08T09:41:27.252000", "tags": [ "ssl certificate", "contacted", "historical ssl", "february", "referrer", "threat roundup", "apple ios", "goldfinder", "sibot", "goldmax", "hacktool", "malicious", "formbook", "contacted urls", "resolutions", "malware", "njrat", "ransomware", "open", "cyber criminal", "record type", "ttl value", "dropped", "execution", "hashes hashes", "hashes", "network", "communicating", "maui ransomware", "type name", "jpeg", "ms word", "document", "whois record", "january", "october", "december", "april", "august", "crypto", "awful", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "march", "urls http", "threat network", "problems", "whois whois", "probe", "startpage", "premium", "snatch", "first", "utc submissions", "submitters", "cloudflarenet", "gvb gelimed", "com laude", "mb super", "optimizer", "amazonaes", "summary iocs", "twitter", "united", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "trojan", "as6185 apple", "creation date", "virtool", "worm", "date", "win32", "urls", "search", "servers", "targeting", "target", "tsara brashears", "united kingdom", "whitelisted", "as6453 tata", "passive dns", "domain", "as46606", "scan endpoints", "all search", "otx octoseek", "pulse submit", "url analysis", "as54113", "entries", "moved", "body", "unknown", "found", "files", "backdoor", "expiration date", "hallrender", "tulach", "all octoseek", "url http", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "as62597 nsone", "as62729", "showing", "next", "as2914 ntt", "ireland unknown", "germany unknown", "as6461 zayo", "as7843 charter", "as3257 gtt", "ip address", "location united", "for privacy", "record value", "as54990", "bouvet island", "encrypt", "show", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "as15169 google", "domains ii", "sality", "ck id", "ck matrix", "intellectual property theft", "malicious file transfers", "scheme", "threat", "paste", "iocs", "hostnames", "urls https", "urls url", "j490s6lkpppw", "lfqprnkje8dni0" ], "references": [ "https://side3.com/", "https://www.side3.com", "http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting]", "http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting]", "http://fillmark.net/index.php [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www-temp.metrobyt-mobile.com [malicious | data collection]", "www.icloud.com [wp-login.php]", "webdisk.thehomemakers.nl [spyware | tracking]", "https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team]", "URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org", "cs9.wac.phicdn.net.1.1.e64a8639.roksit.net", "www.anyxxxtube.net [malicious data collection]", "s3.amazonaws.com [targeting data collection]", "https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP]", "api.utah.edu [access apple]", "https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media]", "tv.apple.com", "104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users]", "andrewka6.pythonanywhere.com [python connection - apple]", "http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma", "https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign", "sonymobilemail.com", "https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf", "pegahpouraseflaw.info", "http://mouthgrave.net/index.php", "ransomed.vc", "Intellectual property accessed and distributed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "GoldFinder", "display_name": "GoldFinder", "target": null }, { "id": "GoldMax", "display_name": "GoldMax", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sibot", "display_name": "Sibot", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Worm:Win32/Mydoom", "display_name": "Worm:Win32/Mydoom", "target": "/malware/Worm:Win32/Mydoom" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null } ], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Recording Industry", "Entertainers", "Civil Society" ], "TLP": "white", "cloned_from": "65c4a099f6a2c8fc2bb85d4b", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5271, "FileHash-MD5": 899, "FileHash-SHA1": 881, "FileHash-SHA256": 5609, "domain": 2199, "hostname": 3205, "CVE": 1, "email": 9 }, "indicator_count": 18074, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.18dy44.xyz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.18dy44.xyz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780334857.6370509 }