{ "type": "URL", "indicator": "https://www.captcha.eu", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.captcha.eu", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3785790640, "indicator": "https://www.captcha.eu", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "656457d8dfbb95a0be58b263", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "Masquerading. Obnoxious privilege escalation. Dangerous entanglements. Attorneys representing target, reinsurance, doctors, and alleged SA PT 'seemingly' involved with attacking & silencing Brashears. Tulach Malware present. Masquerading? Health care establishment and patient PHI at risk. Targets safety @ risk. Found in workers compensation (spoofed?) attorney link.\nhttp://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/ (OTX Auto populated: Researchers from the Institute for Strategic Research (MITRE) in the United States have produced a report on the threat posed to the US government by hackers using the \"fireeyei\" web address.)", "modified": "2023-12-27T06:00:26.403000", "created": "2023-11-27T08:48:22.997000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9a1c71847ed3f62bca19", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T02:44:44.329000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aa406d0b8009df583c87c", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T03:27:02.624000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "uapi-qa.stlouisfed.org (Hospital Metadata)", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://fireeyei.iowa.gov/", "http://dev.findatoyota.com/", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "nr-data.net (Apple Private Data Collection)", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "abc7news.com", "http://michaela.young@uchealth.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Maltiverse", "Domains", "Trojanspy", "O.gen", "T", "Driverreviver", "Qakbot - s0650", "Webtoolbar", "Redline", "Inmortal", "Milesmx", "Keylogger", "Citadel", "Quasar", "Xrat", "Spyeye", "Generic" ], "industries": [], "unique_indicators": 37185 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/captcha.eu", "whois": "http://whois.domaintools.com/captcha.eu", "domain": "captcha.eu", "hostname": "www.captcha.eu" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "656457d8dfbb95a0be58b263", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "Masquerading. Obnoxious privilege escalation. Dangerous entanglements. Attorneys representing target, reinsurance, doctors, and alleged SA PT 'seemingly' involved with attacking & silencing Brashears. Tulach Malware present. Masquerading? Health care establishment and patient PHI at risk. Targets safety @ risk. Found in workers compensation (spoofed?) attorney link.\nhttp://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/ (OTX Auto populated: Researchers from the Institute for Strategic Research (MITRE) in the United States have produced a report on the threat posed to the US government by hackers using the \"fireeyei\" web address.)", "modified": "2023-12-27T06:00:26.403000", "created": "2023-11-27T08:48:22.997000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9a1c71847ed3f62bca19", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T02:44:44.329000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aa406d0b8009df583c87c", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T03:27:02.624000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6561581c55aacc7f571968af", "name": "Mirai | Inmortal | Loki | SpyEye", "description": "attack, cyber threat, network, vehicle tracking, cnc, athena cyber stalking, betabot, social engineering, Cisco umbrella, bambernek simda, active threat, ongoing spreader, spyware, redline stealer, qakbot, anilise, milemighmedia, sweetheart videos botnetwork, targeting , redirects, network, targeted toyota tracking", "modified": "2023-12-25T01:00:05.300000", "created": "2023-11-25T02:12:44.278000", "tags": [ "replication", "date", "graph summary", "ssl certificate", "contacted", "whois record", "historical ssl", "threat roundup", "august", "tsara brashears", "whois whois", "execution", "dropped", "february", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "safe site", "million", "alexa top", "team", "malicious site", "malware", "phishing", "union", "bank", "unsafe", "united", "bambernek simda", "commerce", "pykspa", "bambernek", "ip reputation", "database", "vawtrak", "blacklist http", "search live", "api blog", "docs pricing", "login", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "reverse dns", "software", "general full", "resource", "hash", "get h2", "protocol h2", "security tls", "url http", "main", "attention", "please", "adblock pro", "loki", "mon jul", "first", "linkid252669", "pjp3sltkz", "heur", "malware site", "phishing site", "artemis", "iframe", "riskware", "exploit", "fakealert", "nircmd", "swrort", "downldr", "crack", "filetour", "cleaner", "wacatac", "xtrat", "genkryptik", "opencandy", "tiggre", "presenoker", "agent", "conduit", "xrat", "coinminer", "dropper", "alexa", "acint", "systweak", "behav", "download", "zbot", "xtreme", "installcore", "unruy", "patcher", "adload", "win64", "applicunwnt", "trojanspy", "webtoolbar", "cyber threat", "engineering", "firehol", "phishtank", "emotet", "ransomware", "malicious", "cobalt strike", "suppobox", "bradesco", "facebook", "banco", "nymaim", "smsspy", "stealer", "service", "mirai", "pony", "nanocore", "asyncrat", "downloader", "deepscan", "virut", "qakbot", "name verdict", "falcon sandbox", "blacklist https", "malicious url", "filerepmetagen", "et cins", "active threat", "reputation ip", "threats et", "cins active", "poor reputation", "ip tcp", "C2", "command_and_control", "spyware", "tracking", "targeting", "cyber stalking", "hostname", "simda", "kraken", "betabot", "zeus", "ramnit", "plasma", "citadel", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "spyeye", "vskimmer", "spitmo", "slingshot", "warbot", "redline stealer", "steam", "bandoo", "matsnu", "maltiverse", "bambernek gen", "internet storm", "infy", "inmortal", "addtopayload", "attack", "malvertizing" ], "references": [ "https://networkpccontrol.com/video-player-1/?clickid=4030fe2twwhgxaa9&domain=standardtrackerchain.com&uclick=e2twwhgx&uclickhash=e2twwhgx-e2twwhgx-xoq53y-0-3zvc3y-oj1m9r-oj1m1n-5da44a", "https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45/65609b66e63f64cae305c749", "https://www.hybrid-analysis.com/sample/347314196559e7fbc75fc532daa774727b897d3a2156ea1328861f3b66f677a5/656146284d68f73e2306b6ad", "http://dev.findatoyota.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "MilesMX", "display_name": "MilesMX", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2450, "FileHash-SHA256": 2684, "domain": 1254, "URL": 9244, "CVE": 13, "FileHash-MD5": 931, "FileHash-SHA1": 487 }, "indicator_count": 17063, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df1531ea0c35d79b1f4", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:49.909000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65612df2a7b287c614a94f94", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "Source: http://dev.findatoyota.com/\ntracking, vehicle tracking, mobile phone tracking, active threat , warbot, target tracking, tracking targeted associates, network, cyber stalking, boomrmq string, malvertizing\n\n\nResource: https://www.hybrid-analysis.com/sample/ea8a341cbd3666af7bfce260d86b465844314d86faba75c80eab3ce4d3bc3b45", "modified": "2023-12-24T22:02:36.942000", "created": "2023-11-24T23:12:50.158000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656e19dfeee6ead11dc6354e", "name": "BlackNET RAT | CIArmyTracking: http://dev.findatoyota.com/", "description": "", "modified": "2023-12-24T22:02:36.942000", "created": "2023-12-04T18:26:39.448000", "tags": [ "adgroupid", "x350", "lwii", "ejan", "kfrontier", "qkvt0tvj ejan", "eja ota", "njii", "mqkvt0tvj ejan", "eqkoatlvqia", "unknown", "expiration", "no expiration", "url https", "url http", "iocs", "vj101", "slc1", "scan endpoints", "all octoseek", "create new", "uw1600", "uh1200", "next", "pulse use", "searchbox0", "kwwikipedia", "bit64", "oswindows", "cardstandard", "pack", "kw1download", "qchlemail no", "bit32bit", "ver9", "from", "mpass", "num0", "dig0", "kbetu1", "maxads0", "kld1040", "opnslfp1", "downloader", "pdf report", "clickid", "price", "campaignid", "domain", "text", "hostname", "aufffdufffd", "hostname xn", "pcap", "filehashsha256", "stix", "filehashmd5", "filehashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65612df2a7b287c614a94f94", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 805, "URL": 9065, "hostname": 3080, "FileHash-MD5": 1373, "domain": 1190, "FileHash-SHA256": 3468, "email": 6, "CIDR": 4, "CVE": 12 }, "indicator_count": 19003, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.captcha.eu", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.captcha.eu", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641683.8957982 }