{ "type": "URL", "indicator": "https://www.facebook.com/tr", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.facebook.com/tr", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #7", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #5", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain facebook.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain facebook.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2285630263, "indicator": "https://www.facebook.com/tr", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666271a86acba18eb98ce7f3", "name": "Unix.Trojan.Mirai-6981158-0 | Win32/1ms0rry CoinMiner Botnet affects android user", "description": "Found an IP address in block: http://100.116.0.0/?\nFound on android device user. Target is being tracked. Uses .ru but tracks back to US based on other studies. Command 'redirect blame' found in association. Active, moved.", "modified": "2024-07-07T01:06:11.854000", "created": "2024-06-07T02:34:16.108000", "tags": [ "sha256", "sha1", "ascii text", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "null", "hybrid", "refresh", "body", "span", "june", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "win32 exe", "win32 dll", "wextract", "type name", "pink ribbon", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "address domain", "ip related", "referrer", "doublepulsar", "historical ssl", "darkpulsar", "ru sketchup", "flawedammyy", "date", "hostname", "pulse submit", "url analysis", "verdict", "next", "a nxdomain", "ip address", "url http", "http", "related nids", "files location", "as9123 timeweb", "russia unknown", "ipv4", "reverse dns", "russia", "united kingdom", "aaaa", "as198947 jsc", "as29470 jsc", "moved", "search", "nxdomain", "files domain", "files related", "unknown", "as63949 linode", "germany unknown", "main", "as59552 vhg", "title", "div div", "gmt content", "accept", "chegg", "regis", "special use IP", "tracking", "locate", "pe resource", "no data", "tag count", "analyzer threat", "url summary", "summary", "sample", "samples", "detection list", "count blacklist", "xiaav", "windowsxp", "script domains", "script urls", "body doctype", "ok server", "encrypt", "cookie", "p div", "script script", "div section", "as21342", "js core", "a domains", "link", "as43561", "location sofia", "telnet", "belemet.id", "100.116.0.0/?", "a li", "p td", "td tr", "a br", "meta", "as24940 hetzner", "grab", "this", "entries", "trojan", "ransom", "msil", "site", "cisco umbrella", "alexa top", "million", "alexa", "malicious site", "malicious url", "hostnames", "blacklist", "trickbot", "usa", "showing", "creation date", "record value", "dnssec", "memcommit", "win321ms0rry", "coinminer", "etpro trojan", "botnet cnc", "checkin", "activity", "medium", "t1055", "lowfi", "malware", "copy" ], "references": [ "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "bElement.id", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "Yara Detections: is__elf", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Dark Pulsar", "display_name": "Dark Pulsar", "target": null }, { "id": "Unix.Trojan.Mirai-6981158-0", "display_name": "Unix.Trojan.Mirai-6981158-0", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Packer.Native", "display_name": "Packer.Native", "target": null }, { "id": "Win.Packed.Lynx", "display_name": "Win.Packed.Lynx", "target": null }, { "id": "Sodinokibi.AB", "display_name": "Sodinokibi.AB", "target": null }, { "id": "CoinMiner.ACM", "display_name": "CoinMiner.ACM", "target": null }, { "id": "CoinMiner.WE", "display_name": "CoinMiner.WE", "target": null }, { "id": "CoinMiner.WM", "display_name": "CoinMiner.WM", "target": null }, { "id": "Win32/1ms0rry", "display_name": "Win32/1ms0rry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1195, "FileHash-SHA1": 745, "FileHash-SHA256": 1212, "URL": 2436, "domain": 1264, "hostname": 1148, "email": 1 }, "indicator_count": 8001, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "712 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708c27074200c710e3b35c", "name": "Malware hosting - metronetinc.com", "description": "", "modified": "2023-12-06T14:58:47.235000", "created": "2023-12-06T14:58:47.235000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 447, "hostname": 1241, "domain": 536, "URL": 3731 }, "indicator_count": 5955, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "628437db120de2ab2ecb49fe", "name": "The \u201cconti leak page\u201d - likely conti", "description": "Conti leak page https://share.vx-underground.org/Conti/ is likely conti", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-18T00:03:39.947000", "tags": [ "woff2", "woff", "truetype", "gelionbold", "gelionsemibold", "gelionmedium", "gelionregular", "gelionlight", "gelionthin", "xe", "object", "error", "element", "typeof t", "browser", "ofunction", "typeof e", "typeof r", "tthis", "applepay", "date", "null", "accept", "license", "or conditions", "post", "array", "copyright", "apache license", "version", "this code", "is provided", "on an", "symbol", "typeerror", "iterator", "string", "facebook pixel", "pixel code", "facebook", "service", "phonenumber", "regexp", "function", "shadowsizzle", "domdata", "hexchars", "promise", "typeof n", "agent", "launcher", "this", "android", "class", "fail", "shift", "bind", "trident", "getclass", "body", "widget", "edge", "dataname", "intercom", "typeof symbol", "apple", "webkiti", "criosi", "javascript" ], "references": [ "xfe-URL-share.vx-underground.org_Conti-stix2-2.1-export.json", "https://app.uizard.io/p/c69fa2aa", "https://widget.intercom.io/widget/e1nqrt2k", "https://cdn.eu.pendo.io/agent/static/82b060a2-2cf8-472e-55d4-bd0833416335/pendo.js", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.60", "xfe-URL-vx-underground.org_Conti_-stix2-2.1-export.json", "xfe-URL-uizard.io-stix2-2.1-export.json", "https://public.profitwell.com/js/profitwell.js?auth=80939adc88898a29e714f6dd3d25e8ba", "https://js.stripe.com/v3", "https://app.uizard.io/fonts.css?cache=2022-04-29-12-55-57", "xfe-URL-Js.stripe.net-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Xe", "display_name": "Xe", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 707, "URL": 3480, "FileHash-SHA256": 438, "domain": 458, "email": 2, "FileHash-MD5": 49 }, "indicator_count": 5134, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "625f93fe2c0237a71e262354", "name": "Malware hosting - metronetinc.com", "description": "If(65535) by the end of the year, if (65534) a.sigBytes is a single word, then if, as expected, b.com(d)", "modified": "2022-05-20T00:01:19.453000", "created": "2022-04-20T05:02:54.354000", "tags": [ "ebattid", "click", "getclicktarget", "date", "contexttrack", "view", "installtrigger", "processlink", "typeof blog", "msie", "image", "function", "asyncfunction", "proxy", "typeof t", "symbol", "typeof n", "typeerror", "typeof window", "array", "foundation", "mit license", "http", "typeof define", "ui disable", "selection", "ui focusable", "this", "typeof module", "handles", "notice block", "dataid", "block", "desc", "ofyncl", "sorry", "cloc", "null", "object", "makes", "close", "code", "find", "typeof e", "nullt", "bottom", "left", "html", "right", "width", "next", "february", "april", "june", "august", "back", "bounce", "atom", "cookie", "must", "number", "livevalidation", "copyright", "alec hill", "modified", "oracle", "format", "email", "error", "closure library", "zindex1", "msgesture", "mspointerdown", "fnumber", "woothemes", "tyler smith", "regexp", "class", "attr", "pseudo", "child", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "ud83dudc6cud83c", "script", "boolean", "reduceright", "x3ex3cscriptx3e", "x3ex3ciframex3e", "string", "custom", "trackevent", "path", "derek", "void", "iterator", "facebook pixel", "pixel code", "facebook", "service", "phonenumber", "meta", "optin", "elqsitevisited", "qnew date", "rnew date", "dlkey", "dllookup", "httponly", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction", "g3xj902fy6q", "r300", "uint8array", "typeof d", "caca", "array int8array", "caregexp", "legacy", "customevent", "09af", "ver0", "tag0", "extdata0", "ua ch", "window", "math", "redfq", "base64", "azaz09s", "jeff mott", "https", "kenji urushima", "explorer" ], "references": [ "xfe-URL-metronetinc.com-stix2-2.1-export.json", "https://a2.adform.net/Serving/TrackPoint/?pm=508052&ADFPageName=Metronet%7CHomepage&ADFdivider=%7C&ord=735079476141&Set1=en-US%7Cen-US%7C390x844%7C32&ADFtpmode=2&loc=https%3A%2F%2Fwww.metronetinc.com%2F", "https://a2.adform.net/serving/scripts/trackpoint/async/", "https://www.googleadservices.com/pagead/conversion_async.js", "https://www.googletagmanager.com/gtag/js?id=G-3XJ902FY6Q&l=dataLayer&cx=c", "https://www.google-analytics.com/analytics.js", "https://img03.en25.com/i/elqCfg.min.js", "https://connect.facebook.net/signals/config/2196524664009793?v=2.9.57&r=stable", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.57", "https://www.googletagmanager.com/gtm.js?id=GTM-W3GQ4F", "https://static.zdassets.com/ekr/snippet.js?key=e7dd7ff5-a219-47a1-b096-069f750c234f", "https://www.metronetinc.com/wp-includes/js/wp-emoji-release.min.js?ver=5.8.4", "https://www.metronetinc.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://www.metronetinc.com/wp-content/themes/MetroNet/js/jquery.flexslider-min.js?ver=5.8.4", "https://www.metronetinc.com/wp-content/themes/MetroNet/js/flexslider-init.js?ver=5.8.4", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/982771034/?random=1650430003990&cv=9&fst=1650430003990&num=1&label=Remarketing%20-%20All%20Pages&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/646812378/?random=1650430003991&cv=9&fst=1650430003991&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C%20and%20Phone&hn=www.googleadservic", "https://www.googleadservices.com/pagead/conversion/646812378/?random=1650430003991&cv=9&fst=1650430003991&num=1&value=0&label=6dFBCIm13s4BENqltrQC&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C%20and%20Phone&", "https://bat.bing.com/p/action/140000459.js", "https://img03.en25.com/i/livevalidation_standalone.compressed.js", "https://www.metronetinc.com/wp-content/plugins/lt-ajax-mn-channelguide/jquery-ui.min.js?ver=1.2", "https://www.metronetinc.com/wp-content/plugins/lt-ajax-mn-channelguide/lt-ajax-mn-channelguide.js?ver=1.1", "https://www.metronetinc.com/wp-content/plugins/atomic-blocks/dist/assets/js/dismiss.js?ver=1625889728", "https://www.metronetinc.com/wp-includes/js/hoverIntent.min.js?ver=1.10.1", "https://www.metronetinc.com/wp-includes/js/jquery/ui/core.min.js?ver=1.12.1", "https://www.metronetinc.com/wp-content/plugins/pixel-caffeine/build/frontend.js?ver=2.3.3", "https://stats.wp.com/e-202216.js", "https://bs.serving-sys.com/Serving/ActivityServer.bs?cn=as&ActivityID=1073779012&rnd=922949.8781851793", "https://secure-ds.serving-sys.com/SemiCachedScripts/ebAttribution.js", "https://11057407.fls.doubleclick.net/activityi;src=11057407;type=count0;cat=sitev0;ord=1;num=5426507653008;gtm=2wg4i1;auiddc=1460077727.1650429649;~oref=https%3A%2F%2Fwww.metronetinc.com%2F", "xfe-URL-bat.bing.com-stix2-2.1-export 2.json" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia", "United States of America" ], "malware_families": [ { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 447, "hostname": 1241, "URL": 3731, "domain": 536 }, "indicator_count": 5955, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622cae7aa4dfa680e56e5d23", "name": "https://www.facebook.com/tr", "description": "", "modified": "2022-03-12T14:30:18.710000", "created": "2022-03-12T14:30:18.710000", "tags": [ "response code", "httponly", "expires", "gmt server", "gmt connection", "gmt contenttype", "http scans", "record value", "body gif89a", "header http2" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 20, "domain": 1, "URL": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1499 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Copy of clientlib.js(32).download", "https://www.metronetinc.com/wp-includes/js/wp-emoji-release.min.js?ver=5.8.4", "Copy of clientlib.js(51).download", "Copy of clientlib.js(5).download", "Copy of clientlib(30).css", "https://bgpview.io/asn/3359#whois", "https://www.metronetinc.com/wp-content/themes/MetroNet/js/flexslider-init.js?ver=5.8.4", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "Copy of clientlib.js(59).download", "https://www.shodan.io/search?query=ualberta.ca", "Copy of clientlib.js(29).download", "Copy of clientlib.js(56).download", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.60", "Copy of clientlib.js(11).download", "https://www.google-analytics.com/analytics.js", "Copy of clientlib.js(19).download", "Copy of clientlib.js(57).download", "Copy of clientlibs(5).css", "xfe-URL-share.vx-underground.org_Conti-stix2-2.1-export.json", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/646812378/?random=1650430003991&cv=9&fst=1650430003991&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C%20and%20Phone&hn=www.googleadservic", "https://bat.bing.com/p/action/140000459.js", "Copy of clientlib(4).css", "Copy of clientlib(11).css", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://stats.wp.com/e-202216.js", "Copy of clientlib(10).css", "Copy of clientlib(38).css", "Copy of clientlib.js(18).download", "Copy of clientlib.js(12).download", "https://app.uizard.io/fonts.css?cache=2022-04-29-12-55-57", "Copy of clientlib(17).css", "Copy of clientlib(34).css", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/982771034/?random=1650430003990&cv=9&fst=1650430003990&num=1&label=Remarketing%20-%20All%20Pages&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "Copy of clientlib.js(26).download", "Copy of clientlibs.js(2).download", "Copy of clientlib(21).css", "Copy of clientlib(43).css", "Copy of clientlib(42).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib.js(41).download", "https://tria.ge/240521-r3mvhshd83", "Copy of clientlib(2).css", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "Copy of clientlib(25).css", "Copy of clientlib(50).css", "Copy of clientlib.js(28).download", "Copy of clientlib(45).css", "https://centralops.net/co/DomainDossier.aspx", "https://a2.adform.net/serving/scripts/trackpoint/async/", "https://viewdns.info/portscan/?host=ualberta.ca", "https://secure-ds.serving-sys.com/SemiCachedScripts/ebAttribution.js", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "Copy of clientlib.js(25).download", "Copy of clientlib(35).css", "Copy of clientlib.js(24).download", "Copy of clientlibs.js.download", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "Yara Detections: is__elf", "Copy of clientlib(6).css", "Copy of clientlib.js(4).download", "Copy of clientlib(19).css", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "xfe-URL-Js.stripe.net-stix2-2.1-export.json", "Copy of clientlib.js(36).download", "https://search.odin.io/hosts?query=ualberta.ca", "Copy of clientlib.js(21).download", "Copy of clientlib.js(58).download", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Copy of clientlib(39).css", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "Copy of clientlib.js(43).download", "bElement.id", "https://a2.adform.net/Serving/TrackPoint/?pm=508052&ADFPageName=Metronet%7CHomepage&ADFdivider=%7C&ord=735079476141&Set1=en-US%7Cen-US%7C390x844%7C32&ADFtpmode=2&loc=https%3A%2F%2Fwww.metronetinc.com%2F", "Copy of clientlib(18).css", "xfe-URL-metronetinc.com-stix2-2.1-export.json", "Copy of clientlib(23).css", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "Copy of clientlib(9).css", "Copy of clientlib.js(52).download", "https://connect.facebook.net/signals/config/2196524664009793?v=2.9.57&r=stable", "Copy of clientlib(44).css", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "Copy of clientlib.js(10).download", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "xfe-URL-uizard.io-stix2-2.1-export.json", "https://intelx.io/?s=ualberta.ca", "Copy of clientlib(16).css", "Copy of clientlib(54).css", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "Copy of clientlib.js(1).download", "Copy of clientlib(46).css", "Copy of clientlib(51).css", "Copy of clientlib.js(22).download", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Alerts: cape_detected_threat", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://widget.intercom.io/widget/e1nqrt2k", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "Copy of clientlibs.css", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "Copy of clientlib.js(14).download", "Copy of clientlib.js(38).download", "https://app.uizard.io/p/c69fa2aa", "https://whois.domaintools.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "Copy of clientlibs(4).css", "https://centralops.net/co/", "xfe-URL-vx-underground.org_Conti_-stix2-2.1-export.json", "Copy of clientlib.js(37).download", "https://tria.ge/240521-rxpf6ahd6w", "https://bs.serving-sys.com/Serving/ActivityServer.bs?cn=as&ActivityID=1073779012&rnd=922949.8781851793", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "Copy of iframe_api", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "xfe-URL-bat.bing.com-stix2-2.1-export 2.json", "Copy of clientlib.js(15).download", "Yara Detections: SUSP_Imphash_Mar23_2", "Copy of clientlib.js(54).download", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "Copy of clientlib(7).css", "https://tria.ge/240521-r1yh8shd44", "https://who.is/whois/ualberta.ca", "https://www.googleadservices.com/pagead/conversion/646812378/?random=1650430003991&cv=9&fst=1650430003991&num=1&value=0&label=6dFBCIm13s4BENqltrQC&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=3&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.metronetinc.com%2F&tiba=MetroNet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%20%E2%80%93%20100%25%20Fiber%20Optic%20Internet%2C%20Streaming%20TV%2C%20and%20Phone&", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.57", "Copy of clientlib(22).css", "Copy of clientlibs.js(3).download", "https://www.metronetinc.com/wp-includes/js/hoverIntent.min.js?ver=1.10.1", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "https://www.metronetinc.com/wp-content/plugins/atomic-blocks/dist/assets/js/dismiss.js?ver=1625889728", "Copy of clientlib.js(9).download", "Copy of clientlib.js(45).download", "https://www.metronetinc.com/wp-includes/js/jquery/ui/core.min.js?ver=1.12.1", "https://11057407.fls.doubleclick.net/activityi;src=11057407;type=count0;cat=sitev0;ord=1;num=5426507653008;gtm=2wg4i1;auiddc=1460077727.1650429649;~oref=https%3A%2F%2Fwww.metronetinc.com%2F", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "Copy of clientlib.js(34).download", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "Copy of clientlib(27).css", "Copy of dir (1).c9r", "Copy of clientlib(1).css", "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "Copy of clientlib(53).css", "Copy of clientlib(55).css", "Copy of clientlib.js(23).download", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.googletagmanager.com/gtag/js?id=G-3XJ902FY6Q&l=dataLayer&cx=c", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "Copy of clientlib.js(8).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(60).download", "Copy of clientlib.js(13).download", "Copy of clientlib(14).css", "https://public.profitwell.com/js/profitwell.js?auth=80939adc88898a29e714f6dd3d25e8ba", "https://www.googletagmanager.com/gtm.js?id=GTM-W3GQ4F", "Copy of clientlib(5).css", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://www.metronetinc.com/wp-content/plugins/lt-ajax-mn-channelguide/jquery-ui.min.js?ver=1.2", "https://web.archive.org/web/20250000000000*/ualberta.ca", "Copy of clientlib.js(7).download", "Copy of clientlib.js(3).download", "https://tria.ge/240521-rvybaahb79", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "Copy of clientlib.js(42).download", "https://js.stripe.com/v3", "Copy of clientlib(8).css", "Copy of clientlib(31).css", "Copy of clientlib(13).css", "https://img03.en25.com/i/elqCfg.min.js", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "Copy of clientlib(49).css", "Copy of clientlib(26).css", "https://www.whoxy.com/ualberta.ca", "Copy of clientlibs.js(4).download", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "Copy of fbevents.js.download", "Copy of clientlib.js(35).download", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "Copy of clientlib(37).css", "https://dnsdumpster.com/", "https://www.metronetinc.com/wp-content/themes/MetroNet/js/jquery.flexslider-min.js?ver=5.8.4", "https://static.zdassets.com/ekr/snippet.js?key=e7dd7ff5-a219-47a1-b096-069f750c234f", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName", "Copy of clientlib(36).css", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "Copy of clientlib.js(33).download", "Copy of clientlib(41).css", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "hxxps://myapplications[.]microsoft[.]com/", "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "https://www.merklemap.com/search?query=ualberta.ca&page=0", "Copy of clientlib.js(39).download", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "https://viz.greynoise.io/query/AS3359", "Copy of clientlibs(3).css", "Copy of clientlib(29).css", "hxxps://portal[.]office[.]com/Account", "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "Copy of clientlibs.js(1).download", "Copy of clientlib(15).css", "Copy of clientlib(33).css", "Copy of clientlib.js(16).download", "https://www.metronetinc.com/wp-content/plugins/lt-ajax-mn-channelguide/lt-ajax-mn-channelguide.js?ver=1.1", "https://img03.en25.com/i/livevalidation_standalone.compressed.js", "Copy of clientlib(3).css", "https://www.metronetinc.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://cdn.eu.pendo.io/agent/static/82b060a2-2cf8-472e-55d4-bd0833416335/pendo.js", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "Copy of clientlib(32).css", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "Copy of clientlib.js(44).download", "https://www.metronetinc.com/wp-content/plugins/pixel-caffeine/build/frontend.js?ver=2.3.3", "Copy of clientlib.js(30).download", "https://www.criminalip.io/asset/search?query=ualberta.ca", "Copy of clientlib.js(53).download", "https://www.urlvoid.com/dns-records-lookup/", "Copy of clientlib(24).css", "Copy of clientlib(40).css", "https://whois.easycounter.com/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "Copy of clientlib.js(31).download", "Copy of clientlib(20).css", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "Copy of clientlib(52).css", "Copy of clientlib(28).css", "https://www.googleadservices.com/pagead/conversion_async.js", "https://tria.ge/240521-ry949ahe2z/behavioral1", "Copy of js", "Copy of clientlibs(2).css", "Copy of clientlib(12).css", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "Copy of clientlib.js(2).download", "Copy of clientlib.js(55).download", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "Copy of clientlibs(1).css", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Flooder", "Trojan:win32/vflooder.a", "Coinminer.acm", "Packer.native", "Worm:win32/autorun", "Trojan.upatre/waski", "Coinminer.we", "Xe", "Et", "Unix.trojan.mirai-6981158-0", "Dark pulsar", "Alf:program:win32/webcompanion", "Sodinokibi.ab", "Reduceright", "Coinminer.wm", "Trickbot", "Win32/1ms0rry", "Mirai", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/antavmu", "Slf:win64/cobpipe", "Win.packed.lynx" ], "industries": [ "Finance", "Civilian society", "Transportation", "Biotechnology", "Technology", "Education", "Chemical", "Media", "Defense", "Government", "Construction", "Agriculture", "Telecommunications", "Healthcare", "Energy" ], "unique_indicators": 41303 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/facebook.com", "whois": "http://whois.domaintools.com/facebook.com", "domain": "facebook.com", "hostname": "www.facebook.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eea19a23474b8c7dca351f", "name": "All Items - find from the UA archive disk", "description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things", "modified": "2025-12-24T08:28:47.628000", "created": "2024-03-11T06:15:54.351000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664bd9b732ecaf1b3c3beddf", "name": "Found some problems - Files from the UAlberta Google Drive Archive", "description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.", "modified": "2024-09-03T00:02:13.980000", "created": "2024-05-20T23:16:07.255000", "tags": [ "contact", "quick", "destination", "entry", "safety", "local", "health", "travel", "notification", "considerations", "service", "criminal", "showit", "click", "outcome", "step", "please", "class", "questions set", "question set", "unlock", "continue", "jointfilingyes", "jointfilingno", "minimum req", "domicileresusno", "joint sponsor", "sponsorjoint", "path", "href", "span", "activetab", "starton", "newpage", "searchq", "datasia", "datacon", "segfilter", "subsite", "issuance agency", "visas", "null", "state", "dialog field", "tabpanel", "recaptcha", "nameinputvisa", "fullnameinput1", "license headers", "tools", "templates", "sia contact", "visa", "website", "phoneregexp", "emailregexp", "azaz", "urlpattern", "example starter", "javascript", "fetch", "comptwo", "compone", "dateofbirth", "function", "date", "passport", "nameinput", "fullnameinput", "adult passport", "child passport", "new child", "new adult", "new passport", "datepicker", "ds5504", "hideit", "infinity", "false", "jquery", "error", "body", "trident", "simple", "turn", "back", "calendar", "format", "february", "april", "june", "august", "show", "page has", "bcdate", "col1child", "col2child", "coldatechild", "rowdisplay", "val1", "val2", "repaginate", "grab", "jandec", "86400000", "current", "namerbcontactme", "agency", "compliment", "complaint", "passportfees", "customerservice", "bymail", "namerbcategory", "brokenlink", "search", "departuredate", "calendar date", "picker", "change", "month", "vital", "records form", "component js", "select", "please enter", "azaz09", "dddddd", "woff2", "woff", "truetype", "css document", "efefef", "ffffff", "gradienttype0", "galaxy", "nexus", "iphone5", "abtn", "bbtn", "cbtn", "dbtn", "ebtn", "fbtn", "gbtn", "hbtn", "ibtn", "media query", "from", "fce68e", "font family", "bold", "document", "cc3333", "b7b7b7", "e2edff", "ced9ea", "pm author", "ipca csi", "helvetica", "arial", "cq aem", "feed classes", "f2cd54", "f4d97e", "portrait", "landscape", "ipad", "declare", "immigrant", "visa navigation", "navigation css", "georgia", "times new", "roman", "times", "verdana", "photomodal", "styles media", "ff0000", "queries", "form component", "typetext", "queries media", "phone media", "tablet styles", "media queries", "jumbo sized", "copyright", "gpl version", "http", "alpha", "button", "out width", "ui css", "framework", "icons", "misc", "mini", "input", "label", "textarea", "overlays", "csi page", "embassy info", "embassy data", "embassy names", "end adjust", "embassy nameso", "pages", "e1a04d", "c0c0c0", "ffffff url", "us survey", "component css", "country list", "e7eceb", "important", "additional css", "wizard", "corner radius", "f97800", "c61700", "largestbox", "thisbox", "csi navigation", "ui autocomplete", "ui menu", "noticeid", "countnote", "largestnote", "thisnote", "desktops", "43px", "42px", "large", "aem interface", "styles", "web email", "ytconfig", "typeerror", "facebook pixel", "pixel code", "symbol", "fblog", "typeof", "iterator", "pageview", "pixel", "facebook", "config", "meta", "propname", "dpjquerydpuuid", "this", "next", "atom", "cookie", "iframe", "close", "string", "number", "edge", "regexp", "silk", "sxa0", "object", "opera", "android", "void", "form", "UAlberta", "Android", "Mac", "iPhone", "Gov Alberta", "AWS", "AZURE", "ENTRA", "iCloud", "Telus", "Bitdefender", "Norton" ], "references": [ "Copy of clientlib.js(1).download", "Copy of clientlib.js(2).download", "Copy of clientlib.js(5).download", "Copy of clientlib.js(7).download", "Copy of clientlib.js(4).download", "Copy of clientlib.js(10).download", "Copy of clientlib.js(8).download", "Copy of clientlib.js(11).download", "Copy of clientlib.js(12).download", "Copy of clientlib.js(13).download", "Copy of clientlib.js(14).download", "Copy of clientlib.js(9).download", "Copy of clientlib.js(16).download", "Copy of clientlib.js(17).download", "Copy of clientlib.js(18).download", "Copy of clientlib.js(3).download", "Copy of clientlib.js(19).download", "Copy of clientlib.js(15).download", "Copy of clientlib.js(22).download", "Copy of clientlib.js(23).download", "Copy of clientlib.js(21).download", "Copy of clientlib.js(26).download", "Copy of clientlib.js(25).download", "Copy of clientlib.js(24).download", "Copy of clientlib.js(31).download", "Copy of clientlib.js(28).download", "Copy of clientlib.js(30).download", "Copy of clientlib.js(32).download", "Copy of clientlib.js(29).download", "Copy of clientlib.js(34).download", "Copy of clientlib.js(35).download", "Copy of clientlib.js(37).download", "Copy of clientlib.js(36).download", "Copy of clientlib.js(38).download", "Copy of clientlib.js(39).download", "Copy of clientlib.js(33).download", "Copy of clientlib.js(44).download", "Copy of clientlib.js(43).download", "Copy of clientlib.js(41).download", "Copy of clientlib.js(42).download", "Copy of clientlib.js(45).download", "Copy of clientlib.js(51).download", "Copy of clientlib.js(56).download", "Copy of clientlib.js(55).download", "Copy of clientlib.js(54).download", "Copy of clientlib.js(57).download", "Copy of clientlib.js(52).download", "Copy of clientlib.js(53).download", "Copy of clientlib.js(60).download", "Copy of clientlib(1).css", "Copy of clientlib.js(59).download", "Copy of clientlib(3).css", "Copy of clientlib(2).css", "Copy of clientlib(5).css", "Copy of clientlib.js(58).download", "Copy of clientlib(8).css", "Copy of clientlib(10).css", "Copy of clientlib(7).css", "Copy of clientlib(6).css", "Copy of clientlib(12).css", "Copy of clientlib(13).css", "Copy of clientlib(9).css", "Copy of clientlib(4).css", "Copy of clientlib(14).css", "Copy of clientlib(17).css", "Copy of clientlib(15).css", "Copy of clientlib(19).css", "Copy of clientlib(18).css", "Copy of clientlib(11).css", "Copy of clientlib(20).css", "Copy of clientlib(16).css", "Copy of clientlib(23).css", "Copy of clientlib(24).css", "Copy of clientlib(26).css", "Copy of clientlib(25).css", "Copy of clientlib(28).css", "Copy of clientlib(22).css", "Copy of clientlib(27).css", "Copy of clientlib(31).css", "Copy of clientlib(29).css", "Copy of clientlib(30).css", "Copy of clientlib(32).css", "Copy of clientlib(34).css", "Copy of clientlib(35).css", "Copy of clientlib(33).css", "Copy of clientlib(38).css", "Copy of clientlib(37).css", "Copy of clientlib(36).css", "Copy of clientlib(40).css", "Copy of clientlib(39).css", "Copy of clientlib(43).css", "Copy of clientlib(21).css", "Copy of clientlib(41).css", "Copy of clientlib(44).css", "Copy of clientlib(42).css", "Copy of clientlib(46).css", "Copy of clientlib(45).css", "Copy of clientlib(47).css", "Copy of clientlib(48).css", "Copy of clientlib(49).css", "Copy of clientlib(50).css", "Copy of clientlib(52).css", "Copy of clientlib(54).css", "Copy of clientlibs.js(3).download", "Copy of clientlib(53).css", "Copy of clientlibs.js(2).download", "Copy of clientlibs(3).css", "Copy of clientlib(51).css", "Copy of clientlibs(1).css", "Copy of clientlibs(2).css", "Copy of clientlibs.js.download", "Copy of clientlibs.js(4).download", "Copy of clientlibs(5).css", "Copy of clientlibs.css", "Copy of clientlibs(4).css", "Copy of dir (1).c9r", "Copy of clientlib(55).css", "Copy of iframe_api", "Copy of fbevents.js.download", "Copy of clientlibs.js(1).download", "Copy of js", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs", "https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph", "hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498", "hxxps://portal[.]office[.]com/Account", "hxxps://myapplications[.]microsoft[.]com/", "https://tria.ge/240521-rvybaahb79", "https://tria.ge/240521-rxpf6ahd6w", "https://tria.ge/240521-r1yh8shd44", "https://tria.ge/240521-ry949ahe2z/behavioral1", "https://tria.ge/240521-r3mvhshd83" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Mexico", "Anguilla", "Aruba", "Panama", "Ukraine", "Trinidad and Tobago", "Saint Vincent and the Grenadines", "Saint Martin (French part)", "Sint Maarten (Dutch part)", "Philippines", "Netherlands", "Cura\u00e7ao", "Georgia", "Tanzania, United Republic of", "Costa Rica", "Guatemala", "Japan", "Barbados" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Biotechnology", "Telecommunications", "Energy", "Construction", "Chemical", "Agriculture", "Finance", "Media", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 251, "hostname": 188, "FileHash-SHA256": 142, "URL": 69, "FileHash-MD5": 77, "FileHash-SHA1": 77 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666271a86acba18eb98ce7f3", "name": "Unix.Trojan.Mirai-6981158-0 | Win32/1ms0rry CoinMiner Botnet affects android user", "description": "Found an IP address in block: http://100.116.0.0/?\nFound on android device user. Target is being tracked. Uses .ru but tracks back to US based on other studies. Command 'redirect blame' found in association. Active, moved.", "modified": "2024-07-07T01:06:11.854000", "created": "2024-06-07T02:34:16.108000", "tags": [ "sha256", "sha1", "ascii text", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "null", "hybrid", "refresh", "body", "span", "june", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "win32 exe", "win32 dll", "wextract", "type name", "pink ribbon", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse pulses", "files", "domain", "files ip", "address domain", "ip related", "referrer", "doublepulsar", "historical ssl", "darkpulsar", "ru sketchup", "flawedammyy", "date", "hostname", "pulse submit", "url analysis", "verdict", "next", "a nxdomain", "ip address", "url http", "http", "related nids", "files location", "as9123 timeweb", "russia unknown", "ipv4", "reverse dns", "russia", "united kingdom", "aaaa", "as198947 jsc", "as29470 jsc", "moved", "search", "nxdomain", "files domain", "files related", "unknown", "as63949 linode", "germany unknown", "main", "as59552 vhg", "title", "div div", "gmt content", "accept", "chegg", "regis", "special use IP", "tracking", "locate", "pe resource", "no data", "tag count", "analyzer threat", "url summary", "summary", "sample", "samples", "detection list", "count blacklist", "xiaav", "windowsxp", "script domains", "script urls", "body doctype", "ok server", "encrypt", "cookie", "p div", "script script", "div section", "as21342", "js core", "a domains", "link", "as43561", "location sofia", "telnet", "belemet.id", "100.116.0.0/?", "a li", "p td", "td tr", "a br", "meta", "as24940 hetzner", "grab", "this", "entries", "trojan", "ransom", "msil", "site", "cisco umbrella", "alexa top", "million", "alexa", "malicious site", "malicious url", "hostnames", "blacklist", "trickbot", "usa", "showing", "creation date", "record value", "dnssec", "memcommit", "win321ms0rry", "coinminer", "etpro trojan", "botnet cnc", "checkin", "activity", "medium", "t1055", "lowfi", "malware", "copy" ], "references": [ "IP Block: 100.116.0.0/ Details: https://www.virustotal.com/gui/ip-address/100.116.0.0/details", "bElement.id", "Unix.Mirai IP: https://otx.alienvault.com/indicator/ip/93.170.6.43", "https://otx.alienvault.com/indicator/file/a108ff340f5256cc17c1e8345aacc3cf6c91987a1884957ea75df6d23281480b", "Yara Detections: is__elf", "IDS Detections: TELNET login failed root login Bad Login Generic Ping Keep-Alive Inbound M3", "Alerts: network_icmp suricata_alert network_multiple_direct_ip_connections Medium Priority Related Pulses OTX User-Created Pulses (2) Related Tags 10 Related Tags manipulation , discovery , dhta3eru4egasjn , abuse elevation , setgid More File Type ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped Size 55 KB (56653 bytes) MD5", "IDS Detections MSIL/CoinMiner.ACM CnC Activity Win32/1ms0rry CoinMiner Botnet CnC Checkin", "b0t.fun: https://otx.alienvault.com/indicator/domain/b0t.fun", "IDS Detections: Win32/1ms0rry CoinMiner Botnet CnC Checkin MSIL/CoinMiner.ACM CnC Activity High Priority", "Alerts: nids_malware_alert injection_runpe network_icmp allocates_execute_remote_process antivm_queries_computername", "Alerts: persistence_autorun injection_ntsetcontextthread injection_resumethread dumped_buffer network_http raises_exception", "Alerts: antivm_network_adapters privilege_luid_check suspicious_tld allocates_rwx moves_self checks_debugger antivm_memory_available", "https://www.virustotal.com/gui/ip-address/100.116.0.0/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Dark Pulsar", "display_name": "Dark Pulsar", "target": null }, { "id": "Unix.Trojan.Mirai-6981158-0", "display_name": "Unix.Trojan.Mirai-6981158-0", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Packer.Native", "display_name": "Packer.Native", "target": null }, { "id": "Win.Packed.Lynx", "display_name": "Win.Packed.Lynx", "target": null }, { "id": "Sodinokibi.AB", "display_name": "Sodinokibi.AB", "target": null }, { "id": "CoinMiner.ACM", "display_name": "CoinMiner.ACM", "target": null }, { "id": "CoinMiner.WE", "display_name": "CoinMiner.WE", "target": null }, { "id": "CoinMiner.WM", "display_name": "CoinMiner.WM", "target": null }, { "id": "Win32/1ms0rry", "display_name": "Win32/1ms0rry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1195, "FileHash-SHA1": 745, "FileHash-SHA256": 1212, "URL": 2436, "domain": 1264, "hostname": 1148, "email": 1 }, "indicator_count": 8001, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "651 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6639853fc403f7be5bd6f27d", "name": "Facebook+", "description": "", "modified": "2024-05-07T01:34:55.365000", "created": "2024-05-07T01:34:55.365000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs", "https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs", "https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark", "https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark", "", "https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65eea19a23474b8c7dca351f", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Phone2209", "id": "281168", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1165, "hostname": 866, "URL": 657, "FileHash-SHA256": 26, "email": 337, "FileHash-MD5": 12, "FileHash-SHA1": 8, "CIDR": 1 }, "indicator_count": 3072, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "712 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.facebook.com/tr", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.facebook.com/tr", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776618533.5227332 }