{ "type": "URL", "indicator": "https://www.allnet.cn/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.allnet.cn/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3920761060, "indicator": "https://www.allnet.cn/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66931e9dcfaa71b740418cbf", "name": "Hijacked YouTuber Channel/s Unauthorized Admin | admin2.6cv25r3l.sbs", "description": "Social engineering most likely led to this. This admin is also controlling phones, media, medical systems, etc. I cannot adequately put it in words.", "modified": "2024-08-12T23:00:18.687000", "created": "2024-07-14T00:41:01.944000", "tags": [ "passive dns", "urls", "found", "gmt content", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "error", "code", "domain", "name", "algorithm", "create date", "expiry date", "query time", "united", "update date", "update", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "technology", "dns replication", "form", "server", "request email", "registrar abuse", "verisign", "icann whois", "data", "whois database", "email", "tech", "primary root", "serial number", "sha256 code", "signing ca", "file version", "ca valid", "from", "thumbprint", "vs2008", "domains", "enom", "markmonitor inc", "ip detections", "country", "contacted", "win32 exe", "panmap", "text", "file type", "b file", "hostname", "pulse pulses", "sha1", "sha256", "mitre att", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "possible", "local", "click", "strings", "contact", "http response", "final url", "ip address", "status code", "body length", "kb body", "reportto", "date fri", "unknown", "search", "showing", "as16276", "creation date", "emails", "name servers", "servers", "aaaa", "as15169 google", "gmt cache", "443 ma2592000", "ipv4", "asn as13335", "historical ssl", "threat roundup", "july", "ip check", "dns landscape", "iocs", "referrer", "youtube", "briansabey", "network", "attack", "cybercrime", "retaliation" ], "references": [ "admin2.6cv25r3l.sbs, 6cv25r3l.sbs", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "MALWARE BANKER EVADER", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 595, "hostname": 244, "URL": 400, "FileHash-SHA256": 759, "FileHash-MD5": 78, "FileHash-SHA1": 75, "CIDR": 1, "email": 5 }, "indicator_count": 2157, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "MALWARE BANKER EVADER", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "MyChart Phishing Scams", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "admin2.6cv25r3l.sbs, 6cv25r3l.sbs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win64:ransomx-gen", "Win64-trojan/pakes.exp" ], "industries": [ "Healthcare", "Technology" ], "unique_indicators": 12420 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/allnet.cn", "whois": "http://whois.domaintools.com/allnet.cn", "domain": "allnet.cn", "hostname": "www.allnet.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66931e9dcfaa71b740418cbf", "name": "Hijacked YouTuber Channel/s Unauthorized Admin | admin2.6cv25r3l.sbs", "description": "Social engineering most likely led to this. This admin is also controlling phones, media, medical systems, etc. I cannot adequately put it in words.", "modified": "2024-08-12T23:00:18.687000", "created": "2024-07-14T00:41:01.944000", "tags": [ "passive dns", "urls", "found", "gmt content", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "error", "code", "domain", "name", "algorithm", "create date", "expiry date", "query time", "united", "update date", "update", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "technology", "dns replication", "form", "server", "request email", "registrar abuse", "verisign", "icann whois", "data", "whois database", "email", "tech", "primary root", "serial number", "sha256 code", "signing ca", "file version", "ca valid", "from", "thumbprint", "vs2008", "domains", "enom", "markmonitor inc", "ip detections", "country", "contacted", "win32 exe", "panmap", "text", "file type", "b file", "hostname", "pulse pulses", "sha1", "sha256", "mitre att", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "possible", "local", "click", "strings", "contact", "http response", "final url", "ip address", "status code", "body length", "kb body", "reportto", "date fri", "unknown", "search", "showing", "as16276", "creation date", "emails", "name servers", "servers", "aaaa", "as15169 google", "gmt cache", "443 ma2592000", "ipv4", "asn as13335", "historical ssl", "threat roundup", "july", "ip check", "dns landscape", "iocs", "referrer", "youtube", "briansabey", "network", "attack", "cybercrime", "retaliation" ], "references": [ "admin2.6cv25r3l.sbs, 6cv25r3l.sbs", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "MALWARE BANKER EVADER", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 595, "hostname": 244, "URL": 400, "FileHash-SHA256": 759, "FileHash-MD5": 78, "FileHash-SHA1": 75, "CIDR": 1, "email": 5 }, "indicator_count": 2157, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.allnet.cn/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.allnet.cn/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776704326.9249353 }