{ "type": "URL", "indicator": "https://www.dimc.co.uk", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.dimc.co.uk", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3686375202, "indicator": "https://www.dimc.co.uk", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6835f98071d54709061387d0", "name": "DILBOOSTENERGY.COM IP THEFT BY PETROMOTION.COM PKTECHNOLOGY.COM GLOBAL-PETROLEUM.COM", "description": "PETROMOTION.COM PKTECHNOLOGY.COM GLOBAL-PETROLEUM.COM are on the patents that were stolen from DILBOOSTENERGY.COM\n\nhttps://patents.google.com/patent/US10450498B2/en\n\nIT COMPANY FASTITC.CA IS ON THE GLOBAL-PETROLEUM.COM WEBSITE AS IT STAFF INDICATORS LEAD TO THESE IT STAFF AS WELL. \n\nAll malware signatures lead back to this criminal cyber group including ASTROMUST.COM NJWEBSTUDIO.NET STCIGROUP.COM THEAKKAAS.COM PENNALPHA.COM", "modified": "2025-06-26T17:02:42.144000", "created": "2025-05-27T17:42:24.799000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "domain": 66, "FileHash-SHA256": 60, "hostname": 12 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a98cc8cb36e3ed3a67530", "name": "http://apple.huzii.cn/", "description": "", "modified": "2023-12-19T23:04:48.178000", "created": "2023-11-19T23:22:52.263000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "ip address", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "server", "connection", "html info", "title", "meta tags", "communicating", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "spyware", "injector", "blacklist http", "malicious url", "team", "simda", "bambernek", "cisco umbrella", "site", "bambernek gen", "safe site", "malware site", "malicious site", "alexa top", "installcore", "malware", "infy", "quasar rat", "inmortal", "cyber threat", "united", "team phishing", "maltiverse", "engineering", "mail spammer", "attacker", "hostname", "phishing", "redline stealer", "mirai", "pony", "nanocore", "bradesco", "emotet", "cobalt strike", "agent", "service", "malicious", "bank", "pykspa", "vawtrak", "suppobox", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "temp", "ck id", "show technique", "unknown", "date", "span", "error", "refresh", "generator", "critical", "body", "look", "verify", "hybrid", "accept", "general", "local", "click", "strings", "tools", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9403, "FileHash-MD5": 496, "FileHash-SHA256": 3115, "domain": 1429, "hostname": 1888, "FileHash-SHA1": 271, "CVE": 2 }, "indicator_count": 16604, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655a99cf0e5551be4af47124", "name": "Immortal ", "description": "", "modified": "2023-12-19T23:04:48.178000", "created": "2023-11-19T23:27:11.676000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "ip address", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "server", "connection", "html info", "title", "meta tags", "communicating", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "spyware", "injector", "blacklist http", "malicious url", "team", "simda", "bambernek", "cisco umbrella", "site", "bambernek gen", "safe site", "malware site", "malicious site", "alexa top", "installcore", "malware", "infy", "quasar rat", "inmortal", "cyber threat", "united", "team phishing", "maltiverse", "engineering", "mail spammer", "attacker", "hostname", "phishing", "redline stealer", "mirai", "pony", "nanocore", "bradesco", "emotet", "cobalt strike", "agent", "service", "malicious", "bank", "pykspa", "vawtrak", "suppobox", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "temp", "ck id", "show technique", "unknown", "date", "span", "error", "refresh", "generator", "critical", "body", "look", "verify", "hybrid", "accept", "general", "local", "click", "strings", "tools", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655a98cc8cb36e3ed3a67530", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10109, "FileHash-MD5": 554, "FileHash-SHA256": 3593, "domain": 1555, "hostname": 2180, "FileHash-SHA1": 295, "CVE": 22 }, "indicator_count": 18308, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655af45af3f5879500aeed76", "name": "Immortal | http://apple.huzii.cn/", "description": "", "modified": "2023-12-19T23:04:48.178000", "created": "2023-11-20T05:53:30.948000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all search", "otx octoseek", "url http", "pulse pulses", "ip address", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "server", "connection", "html info", "title", "meta tags", "communicating", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "spyware", "injector", "blacklist http", "malicious url", "team", "simda", "bambernek", "cisco umbrella", "site", "bambernek gen", "safe site", "malware site", "malicious site", "alexa top", "installcore", "malware", "infy", "quasar rat", "inmortal", "cyber threat", "united", "team phishing", "maltiverse", "engineering", "mail spammer", "attacker", "hostname", "phishing", "redline stealer", "mirai", "pony", "nanocore", "bradesco", "emotet", "cobalt strike", "agent", "service", "malicious", "bank", "pykspa", "vawtrak", "suppobox", "name verdict", "falcon sandbox", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "mitre att", "temp", "ck id", "show technique", "unknown", "date", "span", "error", "refresh", "generator", "critical", "body", "look", "verify", "hybrid", "accept", "general", "local", "click", "strings", "tools", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655a98cc8cb36e3ed3a67530", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9403, "FileHash-MD5": 496, "FileHash-SHA256": 3115, "domain": 1429, "hostname": 1888, "FileHash-SHA1": 271, "CVE": 2 }, "indicator_count": 16604, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709bae5e45b52228d023fe", "name": "extended with bioscript.vr.cm - Jean if you looking look here - esy.es/default.php", "description": "", "modified": "2023-12-06T16:05:02.668000", "created": "2023-12-06T16:05:02.668000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 322, "FileHash-SHA1": 18, "domain": 252, "FileHash-MD5": 20, "URL": 1094, "hostname": 243, "FilePath": 3 }, "indicator_count": 1952, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6471447723ec3255208141c8", "name": "extended with bioscript.vr.cm - Jean if you looking look here - esy.es/default.php", "description": "small collection of data found in home environment to which was unknown, sadly i dont recall the specifics just found in a note book. Some weeks on I also recorded notes on a article by Krebs talking about host sailor jesse wu and khalid cook which caught my eye for several reasons, my son's nick name is wu and the 1st solid evidence found was a google dev thing in my sons account (he was 8 at the time) called wuwu-xxxxx i would have to look the exact details up plus the Arabic fake twitter acc confirmation email to which arrived in my inbox in late 2017 whilst using a public pc at the library which had been back dated to 2015", "modified": "2023-06-25T21:05:18.561000", "created": "2023-05-26T23:44:55.851000", "tags": [ "bioscript.vr.com", "ww17.paypal", "ww16.youtube" ], "references": [ "see vt graph bioscript.vr.com collection notes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1097, "hostname": 245, "FileHash-SHA256": 323, "domain": 254, "FilePath": 3, "FileHash-MD5": 20, "FileHash-SHA1": 18 }, "indicator_count": 1960, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1028 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "TrojanSpy:Win32/Nivdort.DE", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "72.167.124.187 [phishing]", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "http://www.sheraises.com/wcur/ [phishing]", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "http://mcbut.live (Not present? Absent today - unexcused)", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "www.jamesbgriffinlaw.com (toolbox)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "nr-data.net [Apple Private Data Collection]", "Traceback- Man with signal jammer/ deauther working around her today.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "Doing any evil thing for mone does not compute for me.", "applephonenw.com [governmentattic]", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "thecomments.app", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "see vt graph bioscript.vr.com collection notes", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "On same block with HalkRender. Has close working relationship. All Palantir legal enities", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "https://www.mccormick-designs.com", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.airinstall-1", "Trojan:win32/startpage", "Win.malware.qshell-9875653-0", "Trojandownloader:win32/upatre.o", "Trojan:win32/neconyd.a", "N\u2205 ip", "Ransom:win32/wannaren", "Other", "Win.trojan.nsis-41", "Alf:heraklezeval:pua:win32/imali", "Ebury", "#lowfitrojan:js/auto25", "Formbook", "Alf:trojan:win32/cassini_ade36583", "Win.packed.kelios-10023944-0", "Win.trojan", "Locky", "Trojan:win32/generic", "Ransom:win32/teerac.a", "#lowfi:hstr:win32/airinstaller.b", "Win.trojan.unruy-5885", "Alf:heraklezeval:trojandownloader:win32/unruy", "Trojan:win32/qshell", "Trojandownloader:win32/upatre", "Alf:jasyp:trojandownloader:win32/startpage!atmn", "Win32:malware-gen", "Virtool:win32/injector.gen!bq", "Artro", "Ransom:win32/haperlock", "Alf:heraklezeval:trojandownloader:win32/unruy!rfn", "Win.packed.xtremerat-9837419-0", "Win.malware.unsafe", "Expiro", "Trojanspy:win32/nivdort", "Inmortal", "Win.dropper.remcos-9970861-0", "Swipper", "Juko", "Trojanspy:win32/nivdort.de", "Win.trojan.zbot-64721" ], "industries": [ "Government", "Telecommunications", "Technology", "Legal", "Healthcare" ], "unique_indicators": 74533 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dimc.co.uk", "whois": "http://whois.domaintools.com/dimc.co.uk", "domain": "dimc.co.uk", "hostname": "www.dimc.co.uk" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6905d40f781d7d58d4021a20", "name": "Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts by PT.", "description": "- with a primary focus on criminal defense. In both positions, he successfully defended his clients against claims running the gamut of the criminal justice system, from DUI\nand misdemeanors to felony indictments. In his criminal practice, Mr. Ahmann defends clients charged with both misdemeanor and felony cases. Mr. Ahmann continues his criminal practice as he believes that his clients deserve someone on their side to assure their voice is heard in the criminal process as well. He is dedicated to each of his clients and is always\nstriving for the best possible outcome in their individual cases. Mr. Ahmann also specializes in defense of employers in workers' compensation claims. He also assists TAM clients whose liability defense touches criminal prosecution, regularly providing effective criminal counsel in catastrophic injury common carrier matters, as well as criminal prosecution stemming from\nemployment and official acts.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-01T09:34:07.323000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8332, "domain": 4819, "hostname": 2165, "FileHash-SHA256": 7369, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 23637, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6906c12b1dd6a64ab1beaa55", "name": "SpyNoon \u2022Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-02T02:25:47.431000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69137ee5d76d486d65396af0", "name": "Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious acts committed by Jeffrey S. Reimer DPT \u2022 Treece Alfrey Musat P.C., ", "description": "", "modified": "2025-12-01T09:02:26.881000", "created": "2025-11-11T18:22:29.976000", "tags": [ "public tlp", "trojandropper", "other", "references add", "show", "provide", "remote", "t1457", "media content", "t1480", "subvert trust", "controls t1562", "modify tools", "command history", "ck t1027", "t1057", "discovery t1069", "t1071", "protocol t1105", "tool transfer", "t1113", "logging t1568", "t1574", "execution flow", "dll sideloading", "t1583", "ta0003", "ck id", "america", "att", "t1045", "capture t1140", "ipv4", "active related", "contact", "adversary", "tam legal", "qshell", "colorado state", "ahmann special", "counsel", "download", "ahmann", "university", "history", "john marshall", "law school", "special counsel", "christopher ahmann", "defense", "url http", "create new", "pulse provide", "white", "adversary tags", "add tag", "groups add", "countries add", "country malware", "trojan", "script urls", "treece alfrey", "meta", "function", "for privacy", "germany unknown", "united", "script", "ip address", "creation date", "date", "tracker", "null", "window", "general full", "reverse dns", "server", "philadelphia", "asn8560", "ionosas", "ionos", "fasthosts", "media", "telecom", "apache", "main", "gtagtracker", "gatracker", "brian sabey", "hall render", "fastly error", "palantir", "special counsel", "gravity rat" ], "references": [ "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex \u2022\u2019 Fake Pinterest \u2022https://pin.it/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Tsara never knew defense attorney fought & closed her worker\u2019s compensation claim", "Traceback- Man with signal jammer/ deauther working around her today.", "Absolutely zero regard for the victims who facilitate your luxury lifestyle.", "Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?", "You\u2019d kill to have someone else\u2019s lifestyle? May God take you out!", "This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant.", "He began a smear campaign immediately and is directly linked to Hall Render and Palantir", "Doing any evil thing for mone does not compute for me.", "I\u2019ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted.", "He must be very scary like Peter Theil because every attorney took case then backed off.", "Patiently waiting to see what God is going to do to all of you. You take lives for $", "Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?", "So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose", "On same block with HalkRender. Has close working relationship. All Palantir legal enities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Other", "display_name": "Other", "target": null }, { "id": "Win.Malware.Unsafe", "display_name": "Win.Malware.Unsafe", "target": null }, { "id": "Juko", "display_name": "Juko", "target": null }, { "id": "Expiro", "display_name": "Expiro", "target": null }, { "id": "Trojan:Win32/Generic", "display_name": "Trojan:Win32/Generic", "target": "/malware/Trojan:Win32/Generic" }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6905d40f781d7d58d4021a20", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7556, "domain": 4779, "hostname": 2053, "FileHash-SHA256": 7233, "FileHash-MD5": 474, "FileHash-SHA1": 470, "CVE": 4, "email": 4 }, "indicator_count": 22573, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6835f98071d54709061387d0", "name": "DILBOOSTENERGY.COM IP THEFT BY PETROMOTION.COM PKTECHNOLOGY.COM GLOBAL-PETROLEUM.COM", "description": "PETROMOTION.COM PKTECHNOLOGY.COM GLOBAL-PETROLEUM.COM are on the patents that were stolen from DILBOOSTENERGY.COM\n\nhttps://patents.google.com/patent/US10450498B2/en\n\nIT COMPANY FASTITC.CA IS ON THE GLOBAL-PETROLEUM.COM WEBSITE AS IT STAFF INDICATORS LEAD TO THESE IT STAFF AS WELL. \n\nAll malware signatures lead back to this criminal cyber group including ASTROMUST.COM NJWEBSTUDIO.NET STCIGROUP.COM THEAKKAAS.COM PENNALPHA.COM", "modified": "2025-06-26T17:02:42.144000", "created": "2025-05-27T17:42:24.799000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gameprofits.io", "id": "170823", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_170823/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "domain": 66, "FileHash-SHA256": 60, "hostname": 12 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e77c7c488546842f94848c", "name": "Injection \u2022 FormBook", "description": "Insane", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:11:40.389000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e7832f3d5621ae81a5c4c2", "name": "Injection \u2022 FormBook ", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-05T20:40:15.678000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea63bd597387fdaccd36bd", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T01:02:53.039000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eba0786d5bbd4f31a60c17", "name": "Injection \u2022 FormBook", "description": "", "modified": "2024-04-04T19:04:12.599000", "created": "2024-03-08T23:34:16.648000", "tags": [ "ssl certificate", "whois record", "execution", "march", "historical ssl", "threat roundup", "contacted", "referrer", "resolutions", "siblings domain", "malicious", "malware", "metro", "whois whois", "hackers utilize", "contacted urls", "lowfi", "date hash", "avast avg", "msdefender feb", "vendor finding", "notes avast", "win32", "ms defender", "trojanspy", "files matching", "number", "sample analysis", "copy", "hide samples", "as133618", "trojan", "passive dns", "ransom", "entries", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "encrypt", "virtool", "body", "click", "date", "artro", "script urls", "asnone united", "unknown", "as2635", "united", "search", "showing", "title", "moved", "script domains", "bypass", "tools", "meta", "cookie", "next", "urls", "address", "creation date", "dnssec", "protect", "threat", "paste", "iocs", "urls http", "xfbml1", "t1676916559", "ucddaocjgah", "rhttps", "hostname", "virgin islands", "cname", "as47846", "germany unknown", "as44273 host", "as45638", "pty ltd", "name servers", "hostnames", "urls https", "cryp", "bq apr", "servers", "pulse submit", "url analysis", "files", "ip address", "domain", "emails", "expiration date", "canada unknown", "dynamicloader", "yara rule", "high", "medium", "formbook cnc", "checkin", "cape", "formbook", "windows", "rc2i", "powershell", "write", "mccormick", "photos", "design og", "html info", "title works", "design meta", "tags og", "wordpress", "woocommerce", "design trackers", "status", "as131316 slnet", "as14061", "win32upatre mar", "win32imali mar", "injection", "http response", "final url", "serving ip", "status code", "body length", "kb body", "sha256", "acceptencoding", "apache", "upgrade", "keepalive", "show", "pe32", "intel", "ms windows", "markus", "hallrender", "songculture attacked", "tsara brashears", "scott mccormick", "aurora", "colorado", "rexxfield", "m brian sabey", "rally", "analyze", "targeted", "nxdomain", "as397240", "as22612", "record value", "for privacy", "aaaa", "alienvault", "open threat", "hit", "men", "man", "reredrum", "monitoring" ], "references": [ "https://www.mccormick-designs.com", "http://www.sheraises.com/wcur/ [phishing]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [Botnet]", "72.167.124.187 [phishing]", "http://track.getportal.net/trackcnt/Kvg48RpSKKFNkW8e/?data=L4300109", "track.getportal.net \u2022 logs.getportal.net \u2022 morda.getportal.net", "http://em.onedirect.in/ls/click?upn=7RLF-2FDQ4RqYaRQtlnfvOgvQ66wDRlCqFovy2-2BXJwRBId7DR0PEPeiDPgFR0O6bb0FsljUHxEKK6C5a36-2FIswwfy8i49p0CmfV", "www.jamesbgriffinlaw.com (toolbox)", "http://www.kavyadigitalservices.com/wp-content/plugins/revslider/temp/update_extract/revslider/terms.php?id=3384758333", "nr-data.net [Apple Private Data Collection]", "applephonenw.com [governmentattic]", "device-local-3fea3945-5a69-47b5-9512-efa9e952b40e.remotewd.com", "https://r-login.wordpress.com/remote-login.php?wpcom_remote_login=key&origin=aHR0cHM6Ly9pbnRoZXBsb3R0aW5nc2hlZC5jb20%3D&wpcomid=113013957&time=1676916558", "jesusandcoffee.com [governmentattic.org] jajaja not funny freaks", "http://mcbut.live (Not present? Absent today - unexcused)", "thecomments.app" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Ransom:Win32/Teerac.A", "display_name": "Ransom:Win32/Teerac.A", "target": "/malware/Ransom:Win32/Teerac.A" }, { "id": "Trojan:Win32/Neconyd.A", "display_name": "Trojan:Win32/Neconyd.A", "target": "/malware/Trojan:Win32/Neconyd.A" }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "TrojanDownloader:Win32/Upatre.O", "display_name": "TrojanDownloader:Win32/Upatre.O", "target": "/malware/TrojanDownloader:Win32/Upatre.O" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Startpage!atmn", "target": null }, { "id": "#Lowfi:HSTR:Win32/AirInstaller.B", "display_name": "#Lowfi:HSTR:Win32/AirInstaller.B", "target": null }, { "id": "Win.Trojan", "display_name": "Win.Trojan", "target": null }, { "id": "Win.Trojan.Zbot-64721", "display_name": "Win.Trojan.Zbot-64721", "target": null }, { "id": "Win.Dropper.Remcos-9970861-0", "display_name": "Win.Dropper.Remcos-9970861-0", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/Imali", "display_name": "ALF:HeraklezEval:PUA:Win32/Imali", "target": null }, { "id": "Win.Trojan.NSIS-41", "display_name": "Win.Trojan.NSIS-41", "target": null }, { "id": "Win.Trojan.Airinstall-1", "display_name": "Win.Trojan.Airinstall-1", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": "65e77c7c488546842f94848c", "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4708, "hostname": 1810, "FileHash-MD5": 254, "FileHash-SHA1": 213, "FileHash-SHA256": 1631, "domain": 2741, "CVE": 3, "email": 11 }, "indicator_count": 11371, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.dimc.co.uk", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.dimc.co.uk", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607182.192848 }