{ "type": "URL", "indicator": "https://www.1api.net/send-message/corona-prediciton.com/registrant", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.1api.net/send-message/corona-prediciton.com/registrant", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4140272287, "indicator": "https://www.1api.net/send-message/corona-prediciton.com/registrant", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "https://shift.gearboxsoftware.com/link", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "Apple - 162.55.158.153", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "https://tulach.cc/", "you.are.poor.i.got.trap.money?", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "https://www.turbo.net/run/videolan/vlc", "apple-business.cancom.at", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "http://netuser.joymeng.com/charge_apple/notify", "Subject: DE Certificate Subject: Berlin Certificate Subject", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "https://www.passcreator.com/en/apple-wallet-passes", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Colorado Quasi Government | Workerk Compensation" ], "malware_families": [ "Win.trojan.barys-10005825-0", "Crypt3.blxp", "Win.malware.hd0kzai-9985588-0", "Trojan:win32/salgorea", "Trojan:win32/blihan.a", "Danabot", "Backdoor:win32/berbew.aa!mtb", "Trojanspy", "Crypt5.bbyh", "Win.exploit.rozena-10038302-0", "Tofsee", "Gravityrat", "Crypt4.ahsw", "#lowfi:tool:win32/vbstoexev2e", "Win32:trojan", "Crypt3.bxmj", "Cve-2022-26134", "Win32/trickler", "Win.ransomware.msilzilla-10014498-0", "Unruy", "Win.trojan.starter-171", "Worm:win32/autorun.xfv", "Cve-2023-4966", "Win32:malware-gen", "Win.trojan.zegost", "Pws:win32/qqpass", "Crypt3.coiz", "Win.malware.barys-6840738-0", "Worm:win32/mofksys.rnd!mtb", "Muldrop", "Crypt3.boje", "Crypt3.boqd", "Berbew", "Ddos:linux/lightaidra", "Cve 2007695", "Pws:win32/zbot.ms!mtb", "Trojan:msil/agenttesla.dw!mtb", "Inject2.bive", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Trojan:win32/agent.ag!mtb", "Crypt3.ckto", "Crypt3.cmtm", "Trojan:win32/aenjaris.al!bit", "Backdoor:win32/prorat.l", "Dorv", "Bc.win.packer.troll-11", "Trojan:win32/salgorea.c!mtb", "Tel:msil/dlsocconsend", "Inject.brdv", "Atros3.ahfb", "Zombie", "Androp", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Prorat", "Win32:androp", "Win.trojan.generic", "Ransom:win32/cve-2017-0147", "Crypt3.bxgr", "Trojan:win32/eyestye.t", "Win.malware.pits-10035540-0", "Crypt2.azdi", "Worm:win32/yuner.a", "Wormwin32/mofksys.rnd!mtb", "Trojan:win32/qqpass", "Nemucod", "Et", "Exploit:linux/cve-2017-17215", "Trojandropper:win32/muldrop.v!mtb", "Crypt3.bxvc", "Win.trojan.generic-9878032-0", "Crypt3.boiu", "Trojandropper:win32/vb.il", "Trojan:win32/glupteba.ov!mtb", "Trojan:win32/zombie", "Inject2.bhbw", "Upatre", "Trojan:win32/glupteba.mt!mtb" ], "industries": [ "Insurance", "Telecommunications" ], "unique_indicators": 43212 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/1api.net", "whois": "http://whois.domaintools.com/1api.net", "domain": "1api.net", "hostname": "www.1api.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6940b852c28f2a2c6abb4aad", "name": "FRITZ!Box \u2026.Connecting to Apple devices", "description": "Connecting to targeted Apple\ndevices overnight. \n\nHow to connect to the FRITZ!Box, how to access all of the product's functions, and what to do with the device if you are not connected to it in your home network.", "modified": "2026-01-15T01:02:47.757000", "created": "2025-12-16T01:39:30.381000", "tags": [ "fritz", "strong", "main navigation", "deutsch", "englisch", "funktionen der", "verbindung zur", "wifi", "ip address", "box avm", "lowfi", "win32", "susp", "urls", "files", "asn as44716", "related tags", "indicator facts", "germany unknown", "a domains", "meta", "typo3", "body doctype", "kasper skaarhoj", "gmt server", "pragma", "a nxdomain", "nxdomain", "whitelisted", "present aug", "present jul", "present oct", "present jun", "united", "present sep", "present nov", "next http", "scans show", "title", "div div", "a li", "wir suchen", "li ul", "avm karriere", "dich a", "reverse dns", "berlin", "germany asn", "dns resolutions", "domains top", "level", "unique tlds", "related pulses", "none related", "passive dns", "ipv4", "url analysis", "present dec", "moved", "certificate", "vertriebs gmbh", "aaaa", "as12732 gutcon", "domain", "hostname", "verdict", "files ip", "address", "germany", "as13335", "as8220 colt", "present may", "united kingdom", "regsetvalueexa", "regdword", "regbinary", "show", "yara detections", "regsetvalueexw", "regsz", "medium", "suspicious", "delphi", "malware", "write", "as6878", "msie", "chrome", "gmt content", "germany showing", "createobject", "set http", "search", "high", "read c", "et trojan", "jfif", "ascii text", "detected", "trojan generic", "checkin", "pony downloader", "http library", "virustotal", "riskware", "mcafee", "drweb", "vipre", "trojan", "panda", "next", "unknown", "as15169 google", "status", "name servers", "record value", "emails", "error", "trojandropper", "results dec", "ddos", "worm", "mtb trojan", "mtb apr", "exev2e", "ia256", "extraction", "get http", "post http", "learn", "command", "ck id", "name tactics", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "germany germany", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "pattern match", "show technique", "ck matrix", "show process", "network traffic", "t1057", "t1071", "hybrid", "local", "path", "t1204 user", "defense evasion", "t1480 execution", "sha1", "sha256", "size", "script", "null", "span", "refresh", "footer", "body", "june", "general", "click", "strings", "tools", "tracker", "code", "look", "verify", "restart", "bad traffic", "et info", "tls handshake", "failure", "process details", "flag", "link", "present feb", "servers", "redacted for", "as20546 soprado", "encrypt", "mtb sep", "ransom", "next associated", "twitter", "virtool", "hostname add", "location russia", "as200350", "russia unknown", "federation flag", "ipv4 add", "asn as200350", "related", "domain add", "unknown ns", "expiration date", "http version", "windows nt", "gbot", "post method", "port", "destination", "delete", "get na", "as15169", "expiration", "url https", "no expiration", "showing", "entries", "url add", "pulse pulses", "http", "files domain", "files related", "pulses none", "unknown cname", "cname", "asn as24940", "less", "date", "pulse submit" ], "references": [ "https://fritz.box/login | router.box | wlan.box | mesh.box | myfritz.box | https://business.kozow.com/bbox/ |", "https://avm.de/ Connection: close Content Type: text/html charset=iso 8859 1", "AVM Computersysteme Vertriebs GmbH Certificate Subject: IT Certificate Subject *.avm.de Certificate Issuer: US", "Certificate Issuer: DigiCert Inc Certificate Issuer: |DigiCert SHA2 Secur Server CA", "Subject: DE Certificate Subject: Berlin Certificate Subject", "https://uutiskirje.professiogroup.com/go/54382390-5506438-191003959\u241d", "http://b25d1a05.click.convertkit-mail2.com \u2022 https://b25d1a05.click.convertkit-mail2.com", "https://push.adac.passcreator.com/ | passcreator-metrics.e07cc1.flownative.cloud", "ecs-80-158-49-8.reverse.open-telekom-cloud.com", "http://24.211.14.182:5555/login.htm?page=%2F | s5wpr2nreqby04v9.myfritz.ne", "HYPERTRM.EXE - FileHash-SHA256 21cf992aba3d4adbc8a6bd65337f46a93983fbec8fe0f4639be826571ae469ba", "Copyright \u00a9 Hilgraeve, Inc. 2001 Product Microsoft\u00ae Windows\u00ae Operating System Description HyperTerminal Applet", "Original Name HYPERTRM.EXE Internal Name HyperTrm File Version 5.1.2600.0", "Comments HyperTerminal \u00ae was developed by Hilgraeve, Inc. for Microsoft", "ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System", "ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.\t192.168.56.103\t173.194.113.114", "ET TROJAN Trojan Generic - POST To gate.php with no referer\t192.168.56.103\t173.194.113.114", "ET TROJAN Fareit/Pony Downloader Checkin 2\t192.168.56.103\t173.194.113.114", "ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98\t192.168.56.103\t173.194.113.114", "http://applewaebastian.fritz.box/ \u2022 applewaebastian.fritz.box", "http://netuser.joymeng.com/charge_apple/notify", "https://www.passcreator.com/en/apple-wallet-passes", "https://sso.myfritz.net/static/images/icons/apple-touch-icon-76x76.png No", "apple-business.cancom.at", "Apple - 162.55.158.153", "Crypt2.AZDI - FileHash-SHA256 62ffd7a3a21a5732870c4ad92fad7287a5270e4a5508752cfef0aa6f9ea30d1f", "Inject.BRDV - FileHash-SHA256\t25f639cdaae06656ab5e0cc80512146aa59097439c388dd15e4cc09343d9a283", "Win32:Androp - FileHash-MD5 99c6c9564af67a954661ebf6e41391d2", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-MD5\t99c8310538a090d2b7e5db3ea22b839a", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA1-2f7189e96cda26dbb6948354667fdd1ad37c04c0", "#LowFi:Tool:Win32/VbsToExeV2E - FileHash-SHA256\tae2fb6755dbf52fa44e427fbe0f29bf541aeedf66656edeb08ba9d7ef1617afc", "Ip Traffic: TCP 74.125.24.106:80 (googleapis.com) TCP 85.195.91.179:80 (catch-cdn.com) UDP :53", "ALF:CERT:Adware:Win32/Peapoon Win.Malware.Midie-6847893-0\tTrojanDropper:Win32/Muldrop.V!MTB Win.Malware.Generickdz-9938530-0\tTrojan:Win32/Zombie.A Win.Malware.Genpack-6989317-0\tTrojanDropper:Win32/VB.IL Win.Trojan.VBGeneric-6735875-0\tWorm:Win32/Mofksys" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#LowFi:Tool:Win32/VbsToExeV2E", "display_name": "#LowFi:Tool:Win32/VbsToExeV2E", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Androp", "display_name": "Androp", "target": null }, { "id": "Inject.BRDV", "display_name": "Inject.BRDV", "target": null }, { "id": "Win32:Androp", "display_name": "Win32:Androp", "target": null }, { "id": "Crypt2.AZDI", "display_name": "Crypt2.AZDI", "target": null }, { "id": "TEL:MSIL/DlSocConSend", "display_name": "TEL:MSIL/DlSocConSend", "target": "/malware/TEL:MSIL/DlSocConSend" }, { "id": "DDOS:Linux/Lightaidra", "display_name": "DDOS:Linux/Lightaidra", "target": "/malware/DDOS:Linux/Lightaidra" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Trojan:Win32/Salgorea.C!MTB", "display_name": "Trojan:Win32/Salgorea.C!MTB", "target": "/malware/Trojan:Win32/Salgorea.C!MTB" }, { "id": "Worm:Win32/Autorun.XFV", "display_name": "Worm:Win32/Autorun.XFV", "target": "/malware/Worm:Win32/Autorun.XFV" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "Worm:Win32/Yuner.A", "display_name": "Worm:Win32/Yuner.A", "target": "/malware/Worm:Win32/Yuner.A" }, { "id": "Win.Trojan.Zegost", "display_name": "Win.Trojan.Zegost", "target": null }, { "id": "PWS:Win32/QQpass", "display_name": "PWS:Win32/QQpass", "target": "/malware/PWS:Win32/QQpass" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Win.Trojan.Generic", "display_name": "Win.Trojan.Generic", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win32/Trickler", "display_name": "Win32/Trickler", "target": null }, { "id": "Win.Malware.Hd0kzai-9985588-0", "display_name": "Win.Malware.Hd0kzai-9985588-0", "target": null }, { "id": "Trojan:Win32/Aenjaris.AL!bit", "display_name": "Trojan:Win32/Aenjaris.AL!bit", "target": "/malware/Trojan:Win32/Aenjaris.AL!bit" }, { "id": "Trojan:Win32/Agent.AG!MTB", "display_name": "Trojan:Win32/Agent.AG!MTB", "target": "/malware/Trojan:Win32/Agent.AG!MTB" }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Win.Malware.Barys-6840738-0", "display_name": "Win.Malware.Barys-6840738-0", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Trojan:Win32/EyeStye.T", "display_name": "Trojan:Win32/EyeStye.T", "target": "/malware/Trojan:Win32/EyeStye.T" }, { "id": "wormWin32/Mofksys.RND!MTB", "display_name": "wormWin32/Mofksys.RND!MTB", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "CVE 2007695", "display_name": "CVE 2007695", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 927, "hostname": 2093, "FileHash-SHA256": 1474, "URL": 5935, "FileHash-MD5": 351, "FileHash-SHA1": 252, "email": 5, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11040, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efedf37890e1b32d60eb55", "name": "Assurant Insurance \u2022 Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant , T-Mobile & me", "description": "Injection, Crypt , ProRat , Tofsee and a version Mirai affecting Assurant and T-Mobile and me. There is truth to the tip I received. This is the 3rd time all of my networks went down , even my phone disconnected and phone number changed temporarily. \n\nJosh T found again. Online profile possibly staged. Stated he is a gamer , self trained in Lua, , CS major in Canada. He is a malicious hacker and streamer and probably an entity. Eric _E iCloud related. Found DoD & Mil hackers related. I haven\u2019t taken the time to authenticate.. Very malicious and talented hackers attacking. I can\u2019t ignore the .mil and DoD items that populated in previous pulses. \n \n[OTX Auto Populated-Trojan-gen-Glupteba, Danabot, Prorat, and other names have been identified as the names of those affected by the latest cyber-attack on the internet.]", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:54:43.205000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efee5ba882db423d3bad8f", "name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T18:56:27.950000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efedf37890e1b32d60eb55", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68eff0848071708f9ee0c0bd", "name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3", "description": "", "modified": "2025-11-14T17:02:12.746000", "created": "2025-10-15T19:05:40.466000", "tags": [ "ipv4", "email abuse", "email info", "active related", "passive dns", "files related", "related tags", "none google", "external", "present aug", "present sep", "present jun", "present jul", "present oct", "ipv4 https", "crosscountry", "mortgagefamily", "port", "read c", "destination", "high", "intel", "ms windows", "stream", "explorer", "write", "malware", "united", "asnone", "et trojan", "windows nt", "suspicious", "win64", "zune", "et", "netherlands", "segoe ui", "found content", "length", "content type", "ipv4 add", "pulse pulses", "urls", "error", "ip address", "pulse submit", "url analysis", "files", "domain", "ip related", "pulses none", "learn", "ck id", "name tactics", "informative", "adversaries", "spawns", "command", "found", "defense evasion", "ssl certificate", "execution", "path", "secure", "show technique", "mitre att", "ck matrix", "maxage31536000", "expirestue", "brand", "microsoft edge", "date", "cookie", "sha1", "ascii text", "sha256", "pattern match", "hybrid", "local", "click", "strings", "show process", "flag", "programfiles", "command decode", "comspec", "model", "general", "starfield", "encrypt", "iframe", "development att", "backdoor", "win32", "reverse dns", "location india", "india asn", "trojan", "mtb win32" ], "references": [ "Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com", "20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf", "Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984", "p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/", "http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=", "http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/", "you.are.poor.i.got.trap.money?", "Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Romania", "South Africa" ], "malware_families": [ { "id": "BC.Win.Packer.Troll-11", "display_name": "BC.Win.Packer.Troll-11", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Crypt3.BOJE", "display_name": "Crypt3.BOJE", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Trojan:Win32/Glupteba.OV!MTB", "display_name": "Trojan:Win32/Glupteba.OV!MTB", "target": "/malware/Trojan:Win32/Glupteba.OV!MTB" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "ProRat", "display_name": "ProRat", "target": null }, { "id": "Backdoor:Win32/Prorat.L", "display_name": "Backdoor:Win32/Prorat.L", "target": "/malware/Backdoor:Win32/Prorat.L" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan", "display_name": "Win32:Trojan", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Crypt5.BBYH", "display_name": "Crypt5.BBYH", "target": null }, { "id": "Crypt4.AHSW", "display_name": "Crypt4.AHSW", "target": null }, { "id": "Crypt3.COIZ", "display_name": "Crypt3.COIZ", "target": null }, { "id": "Crypt3.CMTM", "display_name": "Crypt3.CMTM", "target": null }, { "id": "Crypt3.CKTO", "display_name": "Crypt3.CKTO", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXGR", "display_name": "Crypt3.BXGR", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BOQD", "display_name": "Crypt3.BOQD", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "Crypt3.BOIU", "display_name": "Crypt3.BOIU", "target": null }, { "id": "Inject2.BHBW", "display_name": "Inject2.BHBW", "target": null }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Insurance" ], "TLP": "white", "cloned_from": "68efee5ba882db423d3bad8f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10010, "FileHash-MD5": 150, "FileHash-SHA1": 144, "FileHash-SHA256": 2869, "domain": 2046, "email": 6, "hostname": 3705, "SSLCertFingerprint": 19 }, "indicator_count": 18949, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.1api.net/send-message/corona-prediciton.com/registrant", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.1api.net/send-message/corona-prediciton.com/registrant", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780231887.3140907 }