{ "type": "URL", "indicator": "https://www.corrosiontests.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.corrosiontests.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3840116705, "indicator": "https://www.corrosiontests.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "CVE-2014-0160 \u2022 CVE-2017-11882", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "https://www.jelenia-gora.so.gov.pl/", "Large DNS Query possible covert channel\t192.168.56.101", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://www.jelenia-gora.sr.gov.pl/spacer", "xxx.developer.android.com", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "http://www.jelenia-gora.so.gov.pl/", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "www.gambinospizza.com", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "track.adminresourceupdate.com \u2022 postracking100.online", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "", "Et", "Sabey", "Win.trojan.5229994-1", "Zbot", "Xls:nastya\\ [trj]", "Emotet", "Crypt4.ygm", "Win32:vbmod\\ [trj]", "Serwer", "#lowfi:trojan:js/auto59", "Taiwan", "Win.malware.agent-6386296-0", "Heartbleed bug", "!execryptor_2.x.x", "Trojan:win32/comspec" ], "industries": [ "Telecommunications", "Civil society" ], "unique_indicators": 74173 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/corrosiontests.com", "whois": "http://whois.domaintools.com/corrosiontests.com", "domain": "corrosiontests.com", "hostname": "www.corrosiontests.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cd05cd3c9d0cc0b9ed215f", "name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender", "description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.", "modified": "2024-04-15T08:03:32.381000", "created": "2024-02-14T18:26:21.427000", "tags": [ "united", "unknown", "status", "sec ch", "as44273 host", "search", "aaaa", "showing", "ch ua", "record value", "ssl certificate", "threat roundup", "contacted", "communicating", "historical ssl", "referrer", "resolutions", "http", "execution", "gopher", "pattern match", "breakpoint", "command decode", "desktop", "base", "gambino", "pizza", "suricata ipv4", "mitre att", "date", "meta", "footer", "february", "general", "model", "comspec", "click", "strings", "main", "brian sabey", "hallrender", "trojan", "worm", "frankfurt", "germany", "asn15169", "google", "asn16509", "amazon02", "asn396982", "kansas city", "franchise url", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "resource", "hash", "protocol h2", "asn13335", "cloudflarenet", "software", "domains", "hashes", "learn", "issues tab", "value", "variables", "typeof function", "topropertykey", "bricksintersect", "bricksfunction", "domainpath name", "request chain", "chain", "nl page", "url history", "javascript", "page url", "redirected", "poweshell", "bruschettab", "mobsterstageda", "calzonec", "threat analyzer", "threat", "paste", "iocs", "hostnames", "beefpizzac", "superitaliansub", "cname", "msie", "chrome", "asnone united", "as6336 turn", "nxdomain", "whitelisted", "creation date", "turn", "body", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "server", "registrar abuse", "iana id", "registrar url", "registrar whois", "contact email", "registry domain", "contact phone", "dnssec", "code", "type name", "win32 exe", "recreation", "whois record", "infected", "page dow", "poser", "scammer", "security", "malvertizing", "betting", "illegal activity", "linux", "teen porn", "child exploitation", "script urls", "a domains", "as10796 charter", "find your", "next franchise", "x content", "backend", "as13768 aptum", "moved", "passive dns", "urls", "as2635", "as14061", "scan endpoints", "all octoseek", "url http", "pulse pulses", "ip address", "related nids", "files location", "date hash", "avast avg", "nastya", "entries", "emotet", "windows nt", "show", "etpro trojan", "channel", "artemis", "medium", "delete", "copy", "virustotal", "trojan", "write", "trojanproxy", "vipre", "panda", "malware", "malware infection", "dga", "algorithm generated domains", "command and control", "pe32 executable", "tag", "tagging", "porn tagging", "as3356 level", "tahoma arial", "servers", "as1136 kpn", "next", "et", "remote", "confirm http", "sectrack", "openssl", "fulldisc", "secunia", "confirm https", "openssl tls", "multiple", "remote", "misc https", "impact", "heartbleed", "external source", "name hyperlink", "hp hpsbmu02998", "hp hpsbmu03019", "hp hpsbmu03030", "hp hpsbmu03018", "title", "lowfi", "title error", "body doctype", "html public", "w3cdtd html", "html head", "mozilla", "720.282.2025", "masquerading", "ninite feb", "mtb feb", "telper", "trojandropper", "ninite", "create c", "read c", "default", "create", "unicode", "dock", "xport" ], "references": [ "www.gambinospizza.com", "0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ", "https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com", "https://play.google.com/store/apps/details?id=com.e9117073d4e0.www", "targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com", "https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&", "https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd", "https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu", "http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu", "theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com", "https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site", "http://porn.toplistcreator.eu/in.php", "ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63", "Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10", "https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110", "http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD", "CVE-2014-0160 \u2022 CVE-2017-11882", "a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com", "animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "XLS:Nastya\\ [Trj]", "display_name": "XLS:Nastya\\ [Trj]", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Crypt4.YGM", "display_name": "Crypt4.YGM", "target": null }, { "id": "ZBot", "display_name": "ZBot", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Heartbleed Bug", "display_name": "Heartbleed Bug", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 118, "FileHash-SHA1": 106, "domain": 3271, "hostname": 2451, "URL": 8652, "email": 8, "FileHash-SHA256": 3153, "CVE": 4 }, "indicator_count": 17763, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "734 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.corrosiontests.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.corrosiontests.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607089.8071072 }