{ "type": "URL", "indicator": "https://www.ab.gitlab.gitlab.sandbox.avalon-invest.pro", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.ab.gitlab.gitlab.sandbox.avalon-invest.pro", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3837758437, "indicator": "https://www.ab.gitlab.gitlab.sandbox.avalon-invest.pro", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 28, "pulses": [ { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d0a9c7f1b04296d9b0d803", "name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses", "description": "", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T12:42:47.334000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65d053a935bf99f5263deb57", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d053a935bf99f5263deb57", "name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses", "description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T06:35:21.666000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac3ba9d7f42c0ed9c46d", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:27.967000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cdac46a01234da94a42565", "name": "Emotet | POD 18447 for Cox.xls | M. Brian Sabey \u2022 HallRender \u2022 Denver", "description": "Researchers have identified the source of a virus that has spread around the world and is believed to be linked to a network called \"thedevilsback\" in the United States, which is currently under the control of Amazon.com.", "modified": "2024-03-16T05:00:42.461000", "created": "2024-02-15T06:16:38.290000", "tags": [ "dns resolutions", "ip traffic", "hashes", "file type", "name file", "ip detections", "country", "search", "zbot type", "indicator role", "active related", "filehashsha256", "entries", "brian sabey", "ssl certificate", "contacted", "resolutions", "communicating", "referrer", "emotet emotet", "malware emotet", "http", "emotet", "whois record", "contacted urls", "bundled", "threat roundup", "historical ssl", "execution", "attack", "probe", "service", "startpage", "core", "hiddentear", "guid", "ransomexx", "azorult", "lightning", "ursnif", "agent tesla", "quasar", "trickbot", "project", "remcos", "evilnum", "asyncrat", "matanbuchus", "cobalt strike", "metro", "intel", "ms windows", "pe32", "show", "trojan", "copy", "windows", "read", "write", "february", "delphi", "win32", "ransomware", "united", "unknown", "as44273 host", "moved", "passive dns", "gmt content", "scan endpoints", "all octoseek", "pulse pulses", "urls", "body", "date", "encrypt", "trojandropper", "ipv4", "virtool", "junkpoly", "worm", "msie", "chrome", "status", "creation date", "servers", "record value", "javascript", "please", "june", "august", "malware", "whois whois", "njrat", "ransomware", "siblings domain", "tulach", "hallrender", "cyber espionage", "cyberstalking" ], "references": [ "POD 18447 for Cox.xls", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "1.download.windowsupdate.com [HiddenTear]", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "HiddenTear", "display_name": "HiddenTear", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5573, "hostname": 1806, "FileHash-SHA256": 5748, "domain": 1677, "FileHash-MD5": 349, "FileHash-SHA1": 348, "CVE": 3, "email": 3 }, "indicator_count": 15507, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cae8b43072d177d592feb0", "name": "Astaroth Trojan found in: https://house.mo.gov link", "description": "Impact of the Astaroth Trojan\nOnce the campaign has successfully infiltrated, it will log the users keystrokes, intercept their operating system calls, and gather any information saved to the clipboard continuously. With these methods, it uncovers significant amounts of personal information from the user bank accounts and business accounts. Additionally, in conjunction with NetPass, it gathers user login passwords across the board undetected, including any of their remote computers on LAN, mail account passwords, Messenger accounts, Internet Explorer passwords, and others.", "modified": "2024-03-14T03:01:16.126000", "created": "2024-02-13T03:57:40.057000", "tags": [ "ssl certificate", "whois record", "contacted", "bundled", "january", "communicating", "execution", "phishing page", "cyberstalking", "apple ios", "february", "phishing", "crat", "metro", "life", "core", "hacktool", "bitrat", "malicious", "mallox", "lolkek", "emotet", "pe resource", "threat roundup", "roundup", "astaroth", "august", "tsara brashears", "workers", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cngts", "ogoogle trust", "llc validity", "subject public", "key info", "key algorithm", "data redacted", "redacted for", "domain status", "code", "privacy billing", "privacy tech", "privacy admin", "postal code", "city", "date", "dns replication", "siblings", "server", "pty ltd", "registrar abuse", "wholesale pty", "tpp wholesale", "registry domain", "registrar url", "malvertizing", "pega related attack", "mo", "gov", "msie", "chrome", "status", "search", "passive dns", "urls", "record value", "name servers", "unknown", "body", "next", "trojan", "scanning host", "exploit source", "cnc", "command and control", "united", "domain", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "files", "hallgrand", "brian sabey", "hello", "reinsurance", "remote", "rat", "cyber threat", "targeting" ], "references": [ "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "Found in: http://house.mo.gov/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "nr-data.net [Apple Private Data Collection]", "30597972.bhclick.com", "http://ns2.hallgrandsale.ru/", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null }, { "id": "BitRAT", "display_name": "BitRAT", "target": null }, { "id": "CRAT", "display_name": "CRAT", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Mallox", "display_name": "Mallox", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [ "Government", "Media", "Civil Society", "Technology", "Telecommunications", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1230, "URL": 4748, "FileHash-MD5": 161, "FileHash-SHA1": 161, "FileHash-SHA256": 2548, "domain": 1261, "CVE": 1, "email": 7 }, "indicator_count": 10117, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65caca061fbb7674de86ec7b", "name": "Invicta Stealer", "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com", "modified": "2024-03-14T01:01:47.115000", "created": "2024-02-13T01:46:46.969000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "resolutions", "communicating", "whois whois", "subdomains", "referrer", "problems", "core", "startpage", "june", "passive dns", "urls", "domain", "otx telemetry", "body", "gmt content", "x adblock", "scan endpoints", "all octoseek", "hostname", "date", "encrypt", "threat roundup", "october", "november", "march", "february", "apple ios", "april", "tsara brashears", "copy", "hacktool", "phishing", "metro", "crypto", "installer", "awful", "united", "unknown", "germany unknown", "search", "servers", "registrar", "name servers", "status", "next", "moved", "address", "creation date", "showing", "ipv4", "pulse submit", "url analysis", "accept", "aaaa", "record type", "ttl value", "html document", "ascii text", "anchor hrefs", "hrefs", "anchor", "anchor href", "threat", "paste", "iocs", "analyze", "hostnames", "url https", "sample", "server", "code", "registry domain", "dnssec", "registrar url", "registrar whois", "iana id", "registrar abuse", "tech email", "fake update", "utilizes new", "idat loader", "stealc", "urls http", "isadultno", "adposbottom", "adformatplain", "adnetworks", "quasar rat", "ip detections", "country", "cellbrite", "execution", "pegasus", "malware", "agent tesla", "attack", "ukraine", "silent", "invicta stealer", "redline stealer", "orcus rat", "files", "germany asn", "as196763", "a domains", "redacted for", "record value", "for privacy", "emails", "name", "contacted urls", "bundled", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "pulse pulses", "location united", "open", "cookie", "customer", "0 report", "sea alt", "certificate", "#targeting", "#discordwallets", "house.mo.gov" ], "references": [ "https://www.facebooksunglassshop.com/", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "edgedl.me.gvt1.com", "Link found in https://house.mo.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Invicta Stealer", "display_name": "Invicta Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Orcus RAT", "display_name": "Orcus RAT", "target": null }, { "id": "Silent", "display_name": "Silent", "target": null } ], "attack_ids": [], "industries": [ "Government", "Civil Society", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 145, "FileHash-SHA256": 3848, "CVE": 3, "URL": 8291, "domain": 2541, "hostname": 3034, "email": 13 }, "indicator_count": 18028, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c96df8fe0657d56a206a49", "name": "Nokoyawa Ransomware - https://house.mo.gov/", "description": "Cyber attack including Pegasus found in https://house.mo.gov/\nThis Observed links: dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/Appears to attacking with heightened privilege escalation.\nLinks originated from https://safebae.org attack, various Westlaw links and links attacking a private citizen. HallRender is malware hosting domain featuring an aggressive 'Brian Sabey' representing self as attorney protecting white collar individuals accused of SA is attacker. Boldly contacts victims via mail, email, phone, text, invites, personal invitations to office. \n\nFront facing https://safebae.org, a 'tribute' domain may mention alleged SA victim Daisy Coleman. Research confirms no mention of 'Daisy' safebae is filled with cyber bullying toolkit; ransomware.csv, tracking, westlaw, tagging tools, pornhub, rallypoint, adult malvertizing content targeting a Colorado SA victim. \nIt's all very real but so unbelievable. Malware spreading, cyberthreat", "modified": "2024-03-13T00:02:54.335000", "created": "2024-02-12T01:01:44.323000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 191, "FileHash-SHA256": 2376, "domain": 1414, "URL": 4388, "hostname": 1699, "CVE": 4, "email": 5 }, "indicator_count": 10271, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c942169a345feccec332cd", "name": "Miscellaneous Attack - https://house.mo.gov/", "description": "Researchers at the University of Missouri in Missouri have published their results on a new web server called \"revisor.com\" (revisors.mo.gov) for the next three years..", "modified": "2024-03-12T21:02:15.675000", "created": "2024-02-11T21:54:30.139000", "tags": [ "threat analyzer", "threat", "paste", "iocs", "urls https", "showcctrue", "locationchamber", "viewmode3", "analyze", "hostname", "samples", "url https", "span", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "input", "iframe", "body", "form", "error", "night", "bill", "february", "hybrid", "general", "local", "click", "strings", "footer", "no data", "tag count", "count blacklist", "tag tag", "heim", "a domains", "as393601 state", "united", "link", "object", "title", "statutes", "passive dns", "urls", "cname", "meta", "date", "encrypt", "aaaa", "as8987 amazon", "nxdomain", "whitelisted", "a nxdomain", "scan endpoints", "next", "all octoseek", "ipv4", "trojan", "verdana", "x content", "x xss", "sameorigin x", "pulse submit", "unknown", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "as397241", "name servers", "center oak", "city sterling", "code us", "name security", "phone number", "postal code", "pulse pulses", "files", "representative rex", "threat report", "ip summary", "url summary", "summary", "sample", "detection list", "blacklist", "session", "session floor", "hearings", "sunday", "missouri", "filter view", "new recordings", "no filter", "session jcr", "hearing house", "live", "label", "core", "script urls", "r3 dv", "tls ca" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 81, "FileHash-SHA256": 263, "URL": 704, "domain": 368, "hostname": 467, "email": 1 }, "indicator_count": 2014, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c91f2b7c03b480379ae4d1", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender", "description": "1st time researching https://house.mo.gov/ & house.mo.gov. False arrest records of a target originated from Missouri. A glitch delete pulses & references in bulk.\nPegasus is the should be illegal. Destroying evidence of a truth that would be believed if heard. Spying for dirt to discredit. Target heavily deterred by cyber warfare, healthcare fraud, injuries, financial difficulties due to hacked away businesses, strange shadowy government abused, in person stalking, threats and physical attacks, denied disability with a spinal cord injury?\nhttps://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "modified": "2024-03-12T15:03:06.954000", "created": "2024-02-11T19:25:31.451000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 148, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1373, "FileHash-SHA1": 1174, "FileHash-SHA256": 6417, "URL": 4264, "domain": 2304, "hostname": 2413, "CVE": 4, "email": 15, "CIDR": 1 }, "indicator_count": 17965, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "1.download.windowsupdate.com [HiddenTear]", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [AIG- data collection]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "Pulse of: hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "HOSTEDBYAPPLIEDI.NET - Enom", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "remote.utorrent.com [remote router logins]", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "dns.msftncsi.com", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "ddos.dnsnb8.net [command_and_control]", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing & apple collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "demo.auth.civicalg.com.sni.cloudflaressl.com", "http://nudeteenporn.site", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |", "https://www.facebooksunglassshop.com/", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "nexus.b2btest.ertelecom.ru", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "nr-data.net [Apple Private Data Collection]", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "POD 18447 for Cox.xls", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://tvm77.fashiongup.in/tracking/track-open", "30597972.bhclick.com", "edgedl.me.gvt1.com", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "sex-ukraine.net", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "http://sniper.debugger.ru", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "http://ns2.hallgrandsale.ru/", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Found in: http://house.mo.gov/", "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil", "www.historykillerpro.com", "CS Sigma Rules: Python Initiated Connection by frack113", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "http://micrologin.ogspy.net/track/dhl-information-contact.html", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "workers.dev [extraction \u2022 GET request attack]", "https://gronthoghor.com/xoe/qbot.zip \u2022", "www.supernetforme.com [command_and_control]", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://tulach.cc/ \u2022 tulach.cc \u2022 thedevilsback.golf \u2022 nextcloud.tulach.cc [phishing]", "23.216.147.64", "Link found in https://house.mo.com", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "happyrabbit.kr [Apple iOS threat]", "facebooksunglassshop.com", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "wallpapers-nature.com", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "\u2193\u2192Found in: https://house.mo.gov/\u2193", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "message.htm.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple iOS unlocker password decryption]", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "api.login.live.com", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "https://twitter.com/PORNO_SEXYBABES", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.metrobyt-mobile.com", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "honey.exe", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "http://pornhub.com/gay/video/search", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "CVE: CVE-2023-23397", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group" ], "malware_families": [ "Azorult", "Crat", "Win32:delf-ses\\ [trj]", "Ransom", "Malware", "Parallax rat", "Qakbot", "Hacktool", "Hallgrand", "Win.trojan.midia-4", "Qbot", "Mallox", "Invicta stealer", "Wannacry", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Remcos rat", "Lolkek", "Pegasus", "Backdoor.win32.shiz.ufj", "Silent", "Bitrat", "Relic", "Ransomexx", "Sabey", "Win.malware.fileinfector-9834127-0", "Hallrender", "Lockbit", "Keylogger", "Maze", "Redline stealer", "Eternalblue", "Agent tesla", "Ransomware", "Asyncrat", "Cobalt strike", "Trojan:win32/antavmu.d", "Ryuk ransomware", "Trojanspy", "Bandit stealer", "Zbot", "Emotet", "Win.trojan.agent-1372316", "Astaroth", "Variant.zusy.572 checkin", "Emotet b", "Makop", "Njrat", "Delphi", "Trojandownloader:win32/neojit.a", "Elf:mirai-gh\\ [trj]", "Win.trojan.agent-336074", "Quasar rat", "Mirai", "Unix.trojan.darknexus-7679166-0", "Tofsee", "Flubot", "Trojandropper:win32", "Ursnif", "Arid.viper_cnc", "Dark", "Amadey", "Evilnum", "Win32:trojan-gen", "Nokoyawa ransomware", "Virtool", "Orcus rat", "Pws:win32/qqpass.ci", "Email-worm.win32.brontok.n", "Trojan:win32/cryptinject.sd!mtb", "Tulach", "Wininicrypt", "Win32/socstealer!rfn", "Hiddentear", "Djvu", "Chaos", "W32.sality.pe", "Virus.win32.virut.q" ], "industries": [ "Government", "Telecommunications", "Media", "Civil society", "Technology", "Healthcare" ], "unique_indicators": 135085 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/avalon-invest.pro", "whois": "http://whois.domaintools.com/avalon-invest.pro", "domain": "avalon-invest.pro", "hostname": "www.ab.gitlab.gitlab.sandbox.avalon-invest.pro" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 28, "pulses": [ { "id": "69bf8e2663d5480917ddb699", "name": "Pegasus - https://house.mo.gov/ | Brian Sabey HallRender [i cloned OctoSeek] T8", "description": "", "modified": "2026-03-22T08:35:26.266000", "created": "2026-03-22T06:37:26.233000", "tags": [ "united", "as393601 state", "a domains", "passive dns", "as397241", "certificate", "urls", "search", "showing", "entries", "algorithm", "full name", "data", "v3 serial", "number", "cus cndigicert", "global g2", "tls rsa", "sha256", "ca1 odigicert", "info", "record type", "ttl value", "all txt", "ssl certificate", "whois record", "contacted", "referrer", "resolutions", "historical ssl", "communicating", "problems", "parent domain", "njrat", "ransomware", "startpage", "historical", "malware", "execution", "threat roundup", "april", "september", "remcos rat", "august", "june", "qakbot", "push", "service", "privateloader", "amadey", "powershell", "qbot", "cobalt strike", "core", "hacktool", "november", "october", "roundup", "threat network", "cellbrite", "february", "emotet", "maze", "metro", "dark", "malicious", "team", "critical", "copy", "awful", "parallax rat", "banker", "keylogger", "dns replication", "date", "csc corporate", "domains", "code", "server", "registrar abuse", "registrar iana", "registry domain", "registrar url", "registrar", "contact phone", "apple ios", "quasar", "remcos", "ursnif", "chaos", "ransomexx", "azorult", "agent tesla", "evilnum", "asyncrat", "win32 exe", "wininit", "beta version", "cmstp", "taskscheduler", "ieudinit", "nat32", "certsentry", "type name", "wc3 rpg", "pegasus", "unknown", "domain", "servers", "germany unknown", "name servers", "status", "next", "as29066 host", "as133618", "cname", "as47846", "scan endpoints", "all octoseek", "pulse pulses", "encrypt", "china unknown", "as38365 beijing", "as134175 unit", "707713", "hong kong", "virgin islands", "as6461 zayo", "ransom", "exploit", "ipv4", "pulse submit", "url analysis", "trojan", "body", "click", "creation date", "emails", "expiration date", "domain privacy", "hostname", "dynamicloader", "state", "medium", "msie", "windows nt", "wow64", "show", "slcc2", "media center", "error", "delphi", "guard", "write", "win32", "target", "redir", "facebook", "dcom", "local", "delete", "utf8", "unicode text", "crlf line", "rgba", "yara detections", "default", "asnone", "get na", "dns lookup", "probe ms17010", "eternalblue", "playgame", "high", "related pulses", "yara rule", "anomalous file", "dynamic", "malware infection", "cnc", "procmem_yara", "antivm_generic_disk", "modify_proxy infostealer_cookies", "network_http", "anomalous_deletefile", "antidebug_guardpages", "powershell_request", "powershell_download", "as63949 linode", "mtb feb", "open ports", "backdoor", "gmt content", "trojandropper", "simda", "lockbit", "win.trojan", "midia-4", "floxif", "cryptowall", "brontok", "check in", "record value", "files", "location united", "america asn", "as16509", "download", "threat", "paste", "iocs", "analyze", "hostnames", "urls http", "samples", "tsara brashears", "2nd corintnthians 4:8-9", "injection_inter_process", "injection_create_remote_thread", "persistence_autorun", "bypass_firewall", "disables_windowsupdate", "dynamic_function_loading", "http_request", "query", "delete c", "activity dns", "components", "file execution", "observed dns", "as4837 china", "nxdomain", "a nxdomain", "wannacry", "missouri", "safebae", "hallrender", "house.mo.gov", "typosquatting", "tactics", "google", "win64", "khtml", "gecko", "veryhigh", "aes256gcm", "dalles", "cookie", "urls https", "xpcegvo2adsnq", "mhkz", "mvi2", "keepaliveyes", "fexp24007246", "nsyt", "eva reimer", "daisy coleman", "brian sabey", "https://lawlink.com/documents/10935/blackbag-technologies-announ" ], "references": [ "https://house.mo.gov/ \u2022 house.mo.gov \u2022 mo.gov", "dns.msftncsi.com", "NSO Group - Pegasus: enterprise.cellebrite.com \u2022 cellebrite.com \u2022 erp002.blackbagtech.com \u2022 140.108.21.184", "Target\u2193\u2192 Tsara Brashears: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "23.216.147.64", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple/ iOS unlocker password decryption]", "http://alohatube.xyz/search/tsara-brashears [Telecom \u2022 Brashears Telecom services modified (malicious)]", "alohatube.xyz [BotNetwork]", "facebooksunglassshop.com", "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com - Lockbit Black 3.0, Observed AridViper CnC Domain, Win.Trojan.Midia-4", "oooooooooo.ga \u2022 rallypoint.com \u2022 pornhub.dev \u2022 chats.pornhub.dev \u2022 https://twitter.com/PORNO_SEXYBABES \u2022 https://matrix.pornhub.dev \u2022 https://git.pornhub.dev", "http://dobkinfamily.com/__media__/js/netsoltrademark.php?d=www.fap18pgals.eu/cum-on-ass-porn/", "government.westlaw.com \u2022 hero9780.duckdns.org \u2022 hallrender.com \u2022 miles-andmore.duckdns.org", "https://otx.alienvault.com/indicator/url/https://miles-andmore.duckdns.org/ihFKGyel4wizIPNVvHHQQIuHfl4hEb2F6gWEXupmNDuiMJgJtshSlLFmilf3zCT2EF/index.html", "remote.utorrent.com [remote router logins]", "Tracking: http://www.trackip.net/ip \u2022 gfx.ms \u2022 dssruletracker.mo.gov [network] \u2022 earlyconnections.mo.gov \u2022 www77.trackerspy.com \u2022 ww38.track.updatevideos.com", "http://tracking.studyportalsmail.com/about/privacy/?cdmtw=BAAAIAEAIGmGCaIK4E8-IsDv \u2022 tracking.studyportalsmail.com \u2022 plugtrack.online", "http://images.startappservice.com/image/fetch/f_auto \u2022 track.smtpsendemail.com \u2022 nr-data.net [apple] \u2022 lg.as35280.net \u2022 leaseway.damstracking.com", "http://tvm77.fashiongup.in/tracking/track-open", "https://www.house.mo.gov:80/messageboard/ \u2022 extranet16.mo.gov \u2022 login.mo.gov \u2022 witness.house.mo.gov \u2022 dps.mo.gov \u2022 dev-publicdefender.mo.gov", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg", "http://hallrender.com/attorney/brian-sabey \u2022 https://hallrender.com/attorney/brian-sabey \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-266x266.png", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F&", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-48x48.png \u2022 http://2fwww.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-406x406.png \u2022 https://vcards.hallrender.com/", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-300x300.png \u2022 http://mail2.hallrender.com/", "hallrender.com \u2022 government.westlaw.com \u2022 http://dev.hallrender.com/ \u2022 https://mercy.hallrender.com/ \u2022 autodiscover.hallrender.com", "http://web2.westlaw.com/find/default.wl?tf=-1&rs=WLW9.10&referencepositiontype=S&serialnum=1987042953&fn=_top&sv=Split&referenceposition=1555&pbc=D5845283&tc=-1&ordoc=1989026578&findtype=Y&db=708&vr=2.0&rp=/find/default.wl&mt=208", "https://otx.alienvault.com/indicator/ip/45.56.79.23 \u2022 batchcourtexpressservices.westlaw.com \u2022 courtexpress.westlaw.com", "safebae.org \u2022 rp.dudaran2.com \u2022 www.safebae.org \u2022 https://safebae.org/%20%5B \u2022 https://safebae.org/about/ \u2022 https://safebae.org/", "https://safebae.org/wp-content/plugins/addons-for-visual-composer/assets/js/slick.min.js?ver=2.9.2 \u2022 https://api.w.org/ \u2022 247.0.198.104.bc.googleusercontent.com", "https://safebae.org/wp-json/ \u2022 https://safebae.org/wp-content/plugins/embed-any-document/css/embed-public.min.css?ver=2.7.4", "Malware Hosting: http://81.5.88.13/dbreader.exe \u2022 http://utasoft.ru/catalog/view/javascript/jquery/ui/jquery-ui-1.8.16.custom.min.js", "Apple Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Apple unlocker, decryption via media]", "Malware Hosting: deviceinbox.com \u2022 http://www.hakoonportal.net/240714d/240714_t2.exe \u2022103.246.145.111 \u2022 Spyware: stream.ntpserver.store", "https://nl.toyota.be/tme [vehicle spyware, camera, data, speakers]", "http://link.mcsa.org/api/LinkHandler/getaction?redirectParam2=K09weU5vMDBKWW90Wk1hcHl4SmF4NGtHbnBGbjJaVElud2tpMlBaUGhseXZNM0JLaHRaUnJZOVh1bmMvSVhYWDZhb0UwY2hPaGVuSGNDRUFYeHNzWWFQL0dBNVlRVmlTSGpXa016bUQzWUZ6cVZRcktRTmRyZHJPYlBrY1NpSyt6ZzBrS0FjWk9EYSs4WmdOc2RBU09CR1RjWVNiTUZpYkhNV1lvNzkwbzhLMUxDUzQzS0FaVU5LYTZWSUZoS1Vt", "sexuallybroken.info \u2022 sinful-bordello.top-sex.us \u2022 crackedtool.com \u2022 kddi-cloud.com \u2022 http://tuksex.duckdns.org/bb/login.php", "https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [ "United States of America", "China", "Australia", "Hong Kong" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "Parallax RAT", "display_name": "Parallax RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Win.Trojan.Agent-336074", "display_name": "Win.Trojan.Agent-336074", "target": null }, { "id": "Arid.Viper_CnC", "display_name": "Arid.Viper_CnC", "target": null }, { "id": "WininiCrypt", "display_name": "WininiCrypt", "target": null }, { "id": "PWS:Win32/QQpass.CI", "display_name": "PWS:Win32/QQpass.CI", "target": "/malware/PWS:Win32/QQpass.CI" }, { "id": "Win.Trojan.Midia-4", "display_name": "Win.Trojan.Midia-4", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Win32/SocStealer!rfn", "display_name": "Win32/SocStealer!rfn", "target": null }, { "id": "Backdoor.Win32.Shiz.ufj", "display_name": "Backdoor.Win32.Shiz.ufj", "target": null }, { "id": "Email-Worm.Win32.Brontok.n", "display_name": "Email-Worm.Win32.Brontok.n", "target": null }, { "id": "ETERNALBLUE", "display_name": "ETERNALBLUE", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": "65c91f2b7c03b480379ae4d1", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2668, "FileHash-SHA1": 2469, "FileHash-SHA256": 8054, "URL": 6185, "domain": 2421, "hostname": 3042, "CVE": 5, "email": 15, "CIDR": 1, "IPv4": 18 }, "indicator_count": 24878, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603369ad0e38e313883c4fa", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:56:58.037000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 4468, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6603360b48908ae9b9835563", "name": "IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root |", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-26T20:54:35.118000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015553ad4633eb85c66817", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:31.072000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66015551faca20cb510f9121", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service ", "description": "", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-25T10:43:29.149000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "660021cdfd20f6237e3892c0", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cdfd20f6237e3892c0", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:25.910000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660021cc958e062575a9a160", "name": "IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services", "description": "Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app.", "modified": "2024-04-23T11:04:58.191000", "created": "2024-03-24T12:51:24.154000", "tags": [ "referrer", "communicating", "contacted", "siblings domain", "parent domain", "subdomains", "execution", "bundled", "threat", "paste", "iocs", "e4609l", "urls http", "blacklist http", "cisco umbrella", "heur", "site", "html", "million", "team", "alexa top", "script", "malicious url", "outbreak", "downer", "shell", "mediamagnet", "swrort", "unruy", "iobit", "dropper", "trojanx", "installcore", "riskware", "unsafe", "webshell", "exploit", "crack", "malware", "phishing", "union", "bank", "generic malware", "ip summary", "url summary", "summary", "detection list", "blacklist", "site top", "malware site", "site safe", "deepscan", "genpack", "zbot", "united", "proxy", "firehol mail", "spammer", "anonymizer", "team proxy", "firehol", "noname057", "alexa safe", "maltiverse safe", "windows nt", "win64", "khtml", "gecko", "veryhigh", "orgabusehandle", "route", "appli22", "address", "orgtechhandle", "appliedi abuse", "orgnochandle", "peter heather", "appliedi", "general info", "geo united", "as14519", "us note", "registrar arin", "ptr record", "command decode", "mitre att", "ck id", "show technique", "ck matrix", "traffic et", "policy windows", "update p2p", "activity", "date", "hybrid", "general", "click", "strings", "contact", "contacted urls", "cert valid", "malicious", "phone", "text", "microsoft", "uk telco", "js tel", "metro", "redacted for", "record value", "emails abuse", "name redacted", "for privacy", "name servers", "privacy address", "privacy city", "privacy country", "resolutions", "a domains", "canada unknown", "div div", "format a", "a ul", "models a", "gmt path", "search", "unknown", "passive dns", "title", "all scoreblue", "ipv4", "url analysis", "body", "next", "port", "destination", "forbidden", "high", "tcp syn", "telnet root", "suspicious path", "busybox", "bad login", "telnet login", "copy", "mirai", "domain", "hostname", "script script", "link", "app themesskin", "status", "content type", "lakeside tool", "meta", "find", "tools", "cookie", "front", "li ul", "mower shop", "creation date", "showing", "pragma", "this", "span", "open ports", "body doctype", "privacy admin", "privacy tech", "server", "country", "organization", "postal code", "stateprovince", "code", "script urls", "aaaa", "as8068", "cname", "as20446", "encrypt", "falcon", "name verdict", "abuse", "as55081", "dnssec", "dynamicloader", "alerts", "pulses", "java", "windows", "guard", "medium", "dynamic", "servers", "certificate", "as54113", "trojan", "neue", "trojanspy", "alexa", "team google", "maltiverse top", "ccleaner", "xrat", "downldr", "tsara brashears", "entries", "transactional" ], "references": [ "174.136.94.17 AS 14519 (APPLIEDI) US | 174.231.94.17 AS 6167 (CELLCO-PART) US", "HOSTEDBYAPPLIEDI.NET - Enom", "www.poserworld.com | A 174.136.76.202 | AS14519 Applied Innovations Corporation | United States", "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188", "Mirai: feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Trojanspy: FileHash-SHA256\tfa69e5f4c2abb3900e7861463e28eaab5233bd2a7521bf0679c00588513bfe8e", "Trojanspy: FileHash-MD5 b98fd97821e9b814b75124ccbdfa7664", "Trojanspy: FileHash-SHA1 f57d93f3583a4b7e5c6e6a35665853d6bdefddd7", "Dark Nexus: FileHash-SHA256 | feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb", "Dark Nexus: FileHash-MD5 869aeef284f70c36bb66e74e5c38539c", "Dark Nexus: FileHash-SHA1 bcb96edc67b28e4f26e598", "[Last seen Sun 24 Mar 2024 08:49:16 - feea61351ca61957888538a9249fd6687a05e74591df31bc4ac6905dfd70b1eb] Detections below", "Yara Detections: is__elf , ELFHighEntropy , elf_empty_sections", "IDS Detections: HiSilicon DVR - Default Telnet Root Password Inbound SUSPICIOUS Path to BusyBox 403 Forbidden root login Bad Login TELNET login failed", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Alerts: dead_host - Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usual)", "Dropped Files: #266028 (deleted) empty MF5 d41d8cd98f00b204e9800998ecf8427e", "Interesting: HYPV8505-WEB.hostedbyappliedi.net Domain: appliedi.net | Title: Best Managed Cloud IT Cybersecurity Provider in Boca Raton Florida", "Phishing: https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Phishing: wallpapers-nature.com | https://www.pornhub.com/video/search?search=tsara+brashears | https://wallpapers-nature.com/ tsara-brashears/urlscan-io |", "Phishing: https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "nr-data.net [Apple Private Data Collection]", "Heavy tracking: otc.greatcall.com, tracking.resaas.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT\t URL\thttp://www.tcscouriers.com/ae/tracking/Default.aspx?TrackBy=ReferenceNumberHome\t URL\thttp://www.on2url.com/a", "Heavy tracking: clickonurl.com, https://hub.sociabble.com/CommunicationReadMail?mailid=aff338e6-9720-4643-aae6-14374a42c75f&userlang=fr&ebTrackType=Newsletter&ebTrackId=aff338e6-9720-4643-aae6-14374a42c75f&ebTrackAction=OPEN&deliveryId=5cfea157-54e0-414a-a669-0c38fbc7aad7&c=bc8ef734-589b-4bf0-b31b-456e540f0b32&ebv=129c1fd618ab6e249b9b6e087db95209&ebTrackOrigin=EMAILCLIENT", "smartertrack.appliedi.net, http://analytics.com/track?id=55", "Heavy tracking: maps.appliedi.net, googlesitmap.com, digitalattackmap.com, imap.cadna.com , https://www.rvar.com/images/pdfs/ext_linked/drc_map.pdf", "Heavy tracking: mamapajamajan2.com (looks creepy as if there is footage), location.search |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1504", "name": "PowerShell Profile", "display_name": "T1504 - PowerShell Profile" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2979, "FileHash-SHA1": 406, "FileHash-SHA256": 2293, "URL": 1804, "domain": 814, "hostname": 1025, "email": 9, "CVE": 12, "CIDR": 2 }, "indicator_count": 9344, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.ab.gitlab.gitlab.sandbox.avalon-invest.pro", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.ab.gitlab.gitlab.sandbox.avalon-invest.pro", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776617811.224406 }