{ "type": "URL", "indicator": "https://www.gitcloudcache.com/cache/GyyW6oTE7D", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.gitcloudcache.com/cache/GyyW6oTE7D", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3769400470, "indicator": "https://www.gitcloudcache.com/cache/GyyW6oTE7D", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ca3f53717bb3a25e96065", "name": "Hijacking | Typosquatting | Masquerading Shared Modules | http://ww1.thecoolzipextractorapp.com/ via https://www.hallrender.com/attorney/brian-sabey/", "description": "", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T22:23:49.562000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "658b9e86f7a149333882bfb9", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658b9e86f7a149333882bfb9", "name": "Hijacking | Typosquatting | Masquerading Shared Modules", "description": "*Shared Modules\t\nExecution\nAdversaries may execute malicious payloads via loading shared modules.\n\n*Masquerading\t\nDefense Evasion\nAdversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.\n\nComponent Object Model Hijacking\t\nPersistence\nPrivilege Escalation\nAdversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.\nPulse: http://ww1.thecoolzipextractorapp.com/\nFound in: https://www.hallrender.com/attorney/brian-sabey/", "modified": "2024-01-26T01:05:54.754000", "created": "2023-12-27T03:48:22.319000", "tags": [ "threat", "feeds ioc", "new ioc", "teams api", "contact", "maltiverse", "dinkle threat", "paste", "iocs", "analyze", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "communicating", "whois whois", "siblings parent", "execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12134, "FileHash-MD5": 102, "FileHash-SHA1": 101, "FileHash-SHA256": 3982, "hostname": 2878, "domain": 2159, "CVE": 1 }, "indicator_count": 21357, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "821 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cb4447c8d87ad85fa75", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:24.343000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c17e69371b34a573f72", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:59.619000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c1516990d69644fb3d0", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-18T00:57:57.372000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": "65574cb4447c8d87ad85fa75", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65574cbe6bdbe24ecb170b24", "name": "Masquerading", "description": "", "modified": "2023-12-17T11:03:45.376000", "created": "2023-11-17T11:21:34.083000", "tags": [ "no expiration", "filehashsha256", "filehashmd5", "iocs", "url http", "expiration", "scan endpoints", "all search", "otx octoseek", "create new", "blacklist http", "laplasclipper", "malicious url", "cisco umbrella", "site", "alexa top", "blacklist", "safe site", "malware site", "phishing site", "malicious site", "malware", "china unknown", "united", "unknown", "as54994 quantil", "cname", "nxdomain", "as8068", "as4134 chinanet", "passive dns", "domain", "next", "filehashsha1", "service company", "servers", "ndicator role", "title added", "active related", "pulses url", "showing", "entries", "pulses http", "url https", "type indicator", "role title", "added active", "related pulses", "report spam", "author avatar", "created", "hour ago", "trojanspy", "redline", "pulses hostname", "blacklist https", "indicator role", "bidid", "adid", "v4us", "v51845481", "hostname", "http", "cisco", "umbrella rank", "search live", "api blog", "docs pricing", "november", "de summary", "frankfurt", "main", "reverse dns", "general full", "asn16509", "amazon02", "resource", "protocol h2", "security tls", "hash", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "postitem", "variables", "parameters", "systemid object", "def function", "login", "get h2", "secrets llc", "agreement", "the site", "content", "policy", "this site", "claims", "florida", "please", "premium", "service", "restrict", "express", "media", "facebook", "twitter", "final", "first", "cloudflarenet", "gts ca", "software", "million", "hours ago", "chameleon", "heur", "phishing", "riskware", "agent", "unsafe", "opencandy", "exploit", "mimikatz", "iframe", "downldr", "presenoker", "artemis", "download", "beach research", "germany", "asn20940", "akamaiasn1", "threat report", "url summary", "summary", "sample", "samples", "detection list", "alexa", "maltiverse", "google", "qtsas", "name value", "no data", "tag count", "count blacklist", "pbiptbmvd0k4", "glelexoputyh", "suppobox", "team", "bambernek", "internet storm", "phishtank", "phish", "trickbot", "telecom", "bank", "ipv4", "octoseek report", "spam https", "tsara brashears", "malvertizing", "tracking", "tagging", "spyder", "cybercrime", "email collection", "apple data collection", "win32 exe", "ms word", "document", "type name", "javascript", "network capture", "files", "detections type", "name", "ssl certificate", "whois whois", "tsara brashears", "whois record", "asn owner", "highly targeted", "kgs0", "kls0", "relacionada", "family", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "ursnif", "remcos", "core", "redline stealer", "bitrat", "hacktool", "critical", "copy", "installer", "execution", "network", "communicating", "referrer", "parent", "historical ssl", "siblings", "resolutions", "name verdict", "falcon sandbox", "pattern match", "error", "file", "indicator", "script", "typeof e", "ascii text", "appdata", "date", "windir", "span", "body", "meta", "class", "generator", "info", "null", "refresh", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "form", "footer", "html", "union", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "crack", "webtoolbar", "threat roundup", "contacted", "june", "july", "october", "august" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [ "Health", "Nutritional", "Medical", "Medicine" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 400, "FileHash-SHA1": 240, "FileHash-SHA256": 6459, "hostname": 4845, "URL": 11514, "CVE": 15, "domain": 3179, "email": 31 }, "indicator_count": 26683, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "https://www.norad.mil/ [tracking]", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "beacons.bcp.gvt.com [tracking]", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "https://softwaremill.com/grpc-vs-rest/", "tulach.cc. [Malevolent | Modified description]", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "https://www.reddit.com/user", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "114.114.114.114 [Tulach | Virus Network IP]", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "lyvyxor.com [command_and_control]", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "djcodychase.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.milehighmedia.com/legal/2257", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "https://tulach.cc/ [phishing, exploits, malware spreader]", "galyqaz.com [command_and_control]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "www.apple.com [API property call]", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "https://tulach.cc/ [Botnet phishing]", "gadyniw.com [command_and_control]", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "puzylyp.com [command_and_control]", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "yesporn.fun", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "malicious.high.ml [dropper]", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "https://nsa.gov1.info/utah-data-center", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "https://www.reddit.com/user [honeypot]", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "198.54.115.46 [exploit_source]", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "Yara Detections: Delphi", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "gahyqah.com [command_and_control]", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "www.norad.mil [tracking]", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "*otc.greatcall.com [Botnetwork]", "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "https://seedbeej.pk/tin/index.php?QBOT.zip", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "https://tulach.cc/ [phishing]", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Bambernek", "Qakbot", "Dorkbot", "Sality", "Swrort", "Quasar", "Artemis", "Hawkeye", "Adaptivebee", "Win.dropper.xtremerat-7708589-0", "Maltiverse", "Plasma rat", "Trojanspy:win32/nivdort", "#lowfi:lua:autoitv3craftedoverlay", "Iobit", "Bondat", "Pykspa", "Malware", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/floxif.e", "Azorult", "Virut", "Pony", "Androidoverlaymalware - mob-s0012", "Formbook", "Hydra", "Virtool:win32/injector.gen!bq", "Babar", "Zbot", "Dropper.generic_r.ec", "Trojanx", "Simda", "Redline stealer", "Solar", "Ascii", "Ramnit", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Zeus", "Trojanspy:win32/nivdort.cw", "Kraken", "Adware.adload/adinstaller", "Infy", "Hidelink", "Alinaos", "Beach research", "Vawtrak", "Inno:downloader-j [pup]", "#virtool:win32/obfuscator.adb", "Virtool:win32/injector", "Mediamagnet", "Worm:win32/benjamin", "Betabot", "Trojan:win32/zombie", "Trojandropper:win32/muldrop", "Adware:win32/adload.0e19dea6", "Andromeda", "Dexter", "Pup/win32.bundler.r1865", "Emotet", "Citadel", "Covid19", "Spyeye", "Backdoor:linux/mumblehard", "Pinkslipbot", "Crypt3.bwvy", "Win32:malware-gen", "Gregory", "Xrat", "Matsnu", "Blacknet", "Cutwail", "Ransomware", "Alf:trojan:win32/zbot", "Trojanspy", "Slingshot", "Grandcrab", "Alf:cert:bandoo", "Tulach malware", "Tulach", "Tofsee", "Nsis", "Nymaim", "Roblox", "Suppobox", "Cobalt strike", "Webtoolbar", "Neutrino", "Win.packed.razy-9828382-0", "Artro", "Athena", "Trojan:win32/glupteba.mt!mtb", "Unruy", "Installcore", "Hacktool", "Vskimmer", "Spitmo" ], "industries": [ "Nutritional", "Financial", "Civil society", "Technology", "Health", "Medicine", "Civilian society", "Telecommunications", "Medical" ], "unique_indicators": 142472 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/gitcloudcache.com", "whois": "http://whois.domaintools.com/gitcloudcache.com", "domain": "gitcloudcache.com", "hostname": "www.gitcloudcache.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7f69cd76278113c22968", "name": "Remote | Inject | Access Token Manipulation | Jeffrey Reimer DPT Tsara Brashears Yandex Attack", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:44:41.449000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper", "cape" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bf15d571906a0a5e1a3", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:53.002000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2288, "CVE": 10, "email": 6 }, "indicator_count": 19122, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7bdba31f4d175b19d1ef", "name": "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:29:31.899000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1403, "FileHash-SHA1": 1367, "FileHash-SHA256": 6478, "URL": 6415, "domain": 1445, "hostname": 2408, "CVE": 10, "email": 6 }, "indicator_count": 19532, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7ac0b39138b588fa325b", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-13T15:24:48.834000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1402, "FileHash-SHA1": 1366, "FileHash-SHA256": 6457, "URL": 6175, "domain": 1418, "hostname": 2287, "CVE": 10, "email": 6 }, "indicator_count": 19121, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66bb7aa9d0ec86cff5b95b64", "name": "Injection | Target devices affected. Connected to Notepad | Yandex| Brian Sabey & Associated", "description": "Targets devices injected with extremely malicious URL's. The links did everything imaginable. Pushed up Jeffrey Reimer DPT in search engine while suppressing all positive search engine results of his victim. Her business was completely halted and redirected. Views went to well known artists. It also contained content scrapers causing certain keywords [keylogger included] to generate results in Bing search engines attempt to frame target. Countless porn sites posted w/victims name appearing heaviest in Yandex moderately heavy in Google. Killed targets YouTube channel. Heavy use in victims Apple terminal. Death and bomb threats often. *http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/\n*http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "modified": "2024-09-12T14:01:56.106000", "created": "2024-08-13T15:24:25.284000", "tags": [ "ip addresses", "luna moth", "campaign", "norad tracking", "ipdomain", "investigation", "hr rtd", "hallrender", "brian sabey", "heuristic", "referrer", "pe resource", "first", "utc submissions", "submitters", "solutions", "namesilo", "amazon02", "digitaloceanasn", "limited", "aschoopa", "ovh sas", "generator", "data", "v3 serial", "number", "issuer", "everywhere dv", "tls ca", "g1 odigicert", "validity", "subject public", "key info", "date", "server", "email", "code", "registrar abuse", "registrar url", "whois lookup", "admin city", "admin country", "cn admin", "office open", "xml spreadsheet", "detections type", "name", "dns replication", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "historical ssl", "threat roundup", "october", "investigation c", "december", "september", "ngfw traffic", "malicious ip", "address", "raspberry robin", "stealer", "creation date", "passive dns", "urls", "search", "name servers", "status", "showing", "all scoreblue", "unknown", "next", "as47846", "germany unknown", "as44273 host", "united", "as12876 online", "domain", "cve-2016-2569", "yodaprot", "xorcrypt", "yoda", "aspack", "yara detections", "intel", "comments", "show", "productversion", "inno setup", "invalid", "format", "invalid variant", "delphi", "stack", "error", "iniciar download setup", "gui", "application/octet-stream", "tsara brashears", "targets", "cve-2017-0199", "aspack", "contains-pe", "contains-elf", "bobsoft", "cve-2010-3333", "contains-embedded-js", "cve-2014-3931", "cve-2017-11882", "adware.adload/adinstaller", "win32processor", "information", "flow t1574", "dll sideloading", "reads", "downloads", "win32process", "t1055 spawns", "access token", "modify access", "files", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "self deletion", "f0007 discovery", "ob0007 analysis", "dead", "cybercrime", "cyber criminal group", "dynamicloader", "high", "medium", "trojan", "less see", "contacted", "yara rule", "installs", "windows", "windows startup", "february", "copy", "as14061", "as16276", "canada unknown", "united kingdom", "as63949 linode", "as202053", "finland unknown", "aaaa", "get http", "request", "windows nt", "khtml", "gecko", "wow64", "host", "connection", "cus cndigicert", "ca1 odigicert", "win32", "win64", "accept", "dataset", "system property", "lookups", "select family", "userprofile", "temp", "samplepath", "user", "runtime modules", "modules", "programfiles", "windir", "datacrashpad", "k netsvcs", "s ngcctnrsvc", "nameweb bvba", "domains", "csc corporate", "registrarsafe", "registrar", "namecheap inc", "nameweb", "win32 exe", "detections file", "win32 dll", "ip detections", "country", "highly targeted", "problems", "sneaky server", "replacement", "unauthorized", "high level", "hackers", "unknown win", "agent tesla", "worm", "formbook", "startpage", "dead drop resolver", "nxdomain", "ns nxdomain", "scan endpoints", "all search", "otx scoreblue", "pulse pulses", "hostname", "files ip", "address domain", "div div", "a li", "p div", "read more", "a div", "bq aug", "script script", "path max", "age86400 set", "cookie", "entries", "trojandropper", "body", "trojan features", "related pulses", "file samples", "files matching", "date hash", "copyright", "virtool", "trojanspy", "hashes c2ae", "capa", "cape sandbox", "moves", "tencent habo", "zenbox", "tls rsa", "sha256", "inc subject", "global g2", "odigicert inc", "cndigicert sha2", "high assurance", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinl", "javascripts", "iframes", "embedded", "x sucuri", "cookie policy", "jeffrey scott reimer dpt", "toni braxton", "police", "fbi va", "loudon county", "ashburn va", "douglas co", "douglas co sheriff", "sheriff", "justin bieber", "swipper" ], "references": [ "cnbd.net\t | d1.cnbd.net\t| localhost.cnbd.net | mail.cnbd.net | siteinlink.d1.cnbd.net cnbd.net hghltd.yandex.net", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "Researched: http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Crowdsourced Sigma: Matches rule Potential Dead Drop Resolvers by Sorina Ionescu, X__Junior (Nextron Systems)", "Crowdsourced YARA: Matches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL by InQuest Labs", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Unusual PING detected", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING Windows", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP PING", "Crowdsourced IDS: Matches rule PROTOCOL-ICMP Echo Reply", "Yara Detections: Delphi", "\"Malware Behavior Catalog Tree: Anti-Behavioral Analysis OB0001 Debugger Detection B0001 Process Environment Block B0001.019 Dynamic Analysis Evasion B0003 Delayed Execution B0003.003", "\"Malware Behavior Catalog Tree: Anti-Static Analysis OB0002 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E102", "\"Malware Behavior Catalog Tree : Defense Evasion OB0006 Obfuscated Files or Information E1027 Encoding-Standard Algorithm E1027.m02", "\"Malware Behavior Catalog Tree: Hidden Files and Directories F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 Analysis Tool Discovery B0013 Process detection B0013.001 System Information Discovery E1082 File and Directory Discovery E1083", "\"Malware Behavior Catalog Tree: Execution OB0009 Install Additional Program B0023 Command and Scripting Interpreter E1059", "\"Malware Behavior Catalog Tree: Analysis Tool Discovery F0005 Self Deletion F0007", "\"Malware Behavior Catalog Tree: Discovery OB0007 System Information Discovery B0013 Process detection B0013.001", "\"Malware Behavior Catalog Tree: Hidden Files and Directories E1082 File and Directory Discovery E1083", "Malware Behavior Catalog Tree: Command and Scripting Interpreter OB0009 Install Additional Program B0023", "\"Dataset actions -System Property Lookups: IIWbemServices::Connect", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor", "\"Dataset actions - System Property Lookups: Execution OB0012 F0005 File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048 Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007 Change Memory Protection C0008 Process OC0003 Create Process C0017 Create Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001 Modulo C0058 Cryptography OC0005", "Researched: d569ab9b9e89ebd9e2ff995bcd6509bc.virus", "Apple Issues:\tapple-validsecure.serviceirc.com serviceirc.com http://apple-validsecure.serviceirc.com https://apple-validsecure.serviceirc.com", "Apple Issues:\tcheckapple.com http://www.checkapple.com/ https://bincc.xyz/bin-apple-music-1month-apple-tv-7days apple-marketing.com", "Apple Issues:\tapp-appleid.serveirc.com appleid-appleus.serveirc.com appleidapple.serveirc.com apples-uncek.serveirc.com", "Apple Issues:\thttp://www.apple-verifallert.serveirc.com/ http://www.appleid-lockid.serveirc.com/ http://www.appleid-seccure23.serveirc.com/", "Apple Issues:\thttp://www.appleid-secure20.serveirc.com/ http://www.appleid-secure22.serveirc.com/ serviceirc.com", "Apple Issues: http://www.appleid-supporthelp.serveirc.com/ http://www.appleids-security.serveirc.com/", "Apple Issues: URL https://bincc.xyz/bin-apple-music-1month-apple-tv-7days", "Apple Issues: http://checkapple.com/home/item/131-iOs-%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B8%AD%E0%B8%87%E0%B8%9C%E0%B8%B9%E0%B9%89%E0%B8%94%E0%B8%B5-%E0%B8%9F%E0%B8%B1%E0%B8%99%E0%B8%98%E0%B8%87-iPhone-4-%E0%B8%9A%E0%B8%B2%E0%B8%87%E0%B8%81%E0%B8%A7%E0%B9%88%E0%B8%B2-Galaxy-S-2.htm", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Terse HTTP 1.0 Request Possible Nivdort Worm.Mydoom Checkin User-Agent (explwer)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Hiloti/Mufanom Downloader Checkin Win32.Sality-GR Checkin Backdoor.Win32.Shiz.ivr", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Empty Checkin Upatre Retrieving encoded payload (Common Header Struct)", "Apple Fraud Issues: 15.197.192.55 | IDS Detections: Checkin Win32/Nivdort", "Antivirus Detections: ALF:HeraklezEval:Ransom:Win32/CVE , ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn , ALF:HeraklezEval:Trojan:Win32/Zombie.A", "Antivirus Detections: ALF:Trojan:Win32/FormBook.F!MTB , Backdoor:Linux/Setag!rfn , Backdoor:Win32/Bifrose.IQ , Backdoor:Win32/Simda!rfn", "Antivirus Detections: ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn , ALF:PUA:Win32/InstallMate.P , ALF:Trojan:Win32/Cassini_f9070846!ibt", "\"Malware Behavior Catalog Tree: File System OC0001 Create File C0016 Create Directory C0046 Delete File C0047 Delete Directory C0048", "\"Malware Behavior Catalog Tree: Get File Attributes C0049 Read File C0051 Writes File C0052 Memory OC0002 Allocate Memory C0007", "\"Malware Behavior Catalog Tree: Change Memory Protection C0008 Process OC0003 Create Process C0017", "\"Malware Behavior Catalog Tree: Suspended Process C0017.003 Set Thread Local Storage Value C0041 Data OC0004", "\"Malware Behavior Catalog Tree: Create 00001807 Encode Data C0026 XOR C0026.002 Checksum C0032 CRC32 C0032.001", "\"Malware Behavior Catalog Tree: Modulo C0058 Cryptography OC0005 Generate Pseudo-random Sequence C0021", "\"Malware Behavior Catalog Tree: Communication OC0006 HTTP Communication C0002 Operating System OC0008 Registry", "\"Malware Behavior Catalog Tree: Registry Value C0036.006 Capabilities Data-Manipulation\"", "\"Malware Behavior Catalog Tree: C0036 Open Registry Key C0036.003 Create Registry Key C0036.004 Query", "Capabilities Data: Manipulation Generate random numbers using the Delphi LCG Encode data using XOR Hash data with CRC32", "Capabilities Data: Linking Link function at runtime on Windows Collection Get geographical location Targeting Identify system language via API", "Capabilities Data: Executable Extract resource via kernel32 functions Contain a thread local storage (.tls) section Packaged as an Inno Setup installer", "Capabilities Data: Anti-Analysis Reference analysis tools strings Internal (Internal) installer file limitation", "Capabilities Data: Host-Interaction - Get file attributes Create process suspended Create process on Windows", "Capabilities Data: Host-Interaction - Allocate or change RWX memory Accept command line arguments Set thread local storage value", "Capabilities Data: Host-Interaction - Get system information on Windows Delete directory", "Capabilities Data: Host-Interaction - Get thread local storage value Read file on Windows Write file on Windows", "Capabilities Data: Host-Interaction - Get file size Query environment variable Get common file path", "Capabilities Data: Host-Interaction - Query or enumerate registry value Delete file Create directory Shutdown system", "Capabilities Data: Host-Interaction - Modify access privileges Check if file exists", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "United States of America" ], "malware_families": [ { "id": "PUP/Win32.Bundler.R1865", "display_name": "PUP/Win32.Bundler.R1865", "target": null }, { "id": "Inno:Downloader-J [PUP]", "display_name": "Inno:Downloader-J [PUP]", "target": null }, { "id": "AdWare:Win32/AdLoad.0e19dea6", "display_name": "AdWare:Win32/AdLoad.0e19dea6", "target": "/malware/AdWare:Win32/AdLoad.0e19dea6" }, { "id": "Adware.Adload/Adinstaller", "display_name": "Adware.Adload/Adinstaller", "target": null }, { "id": "Win.Packed.Razy-9828382-0", "display_name": "Win.Packed.Razy-9828382-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" } ], "industries": [ "Technology", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1401, "FileHash-SHA1": 1365, "FileHash-SHA256": 6436, "URL": 5931, "domain": 1391, "hostname": 2165, "CVE": 5, "email": 6 }, "indicator_count": 18700, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "585 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab9d7a0b4116f622b0aa0", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-19T18:05:11.592000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": "65a8720daa2d0263a2b1de88", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8720daa2d0263a2b1de88", "name": "Linux/Mumblehard introduction via phone call Social Engineering", "description": "Already deeply compromised individuals more at risk of elaborate phone call interception/redirect/transfer from legitimate services. Many different schemes are used to access and nullify victims identity, involves ssn#, bank account information, email exchange text messaging, PDF exchange, Spam sent to all known accounts, password reset, request for ID upload to verify (steal) identity, extensive holds while trying to 'help' you, unannounced credit check ID theft. Ransomware, Linux attack, Botnetwork behavior. Active threat. Linux/Mumblehard backdoor/botnet", "modified": "2024-02-17T00:01:16.653000", "created": "2024-01-18T00:34:21.136000", "tags": [ "ssl certificate", "april", "resolutions", "threat roundup", "whois record", "historical ssl", "vt graph", "attack", "formbook", "subdomains", "august", "cobalt strike", "mumblehard", "iframe", "djcodychase.com", "first", "utc submissions", "submitters", "webico company", "limited", "summary iocs", "graph community", "urls", "gandi sas", "amazonaes", "cloudflarenet", "computer", "company limited", "cloud host", "pte ltd", "singlehopllc", "squarespace", "amazon02", "team internet", "google", "internapblk4", "domains", "registrar", "dynadot llc", "ip detections", "country", "detections type", "name", "win32 exe", "file size", "detections file", "kb file", "execution", "contacted", "apple ios", "tsara brashears", "virus network", "critical risk", "cyberstalking", "elf collection", "matches rule", "relacionada", "hacktool", "emotet", "critical", "copy", "installer", "banker", "keylogger", "it's back", "name verdict", "falcon sandbox", "json data", "localappdata", "temp", "getprocaddress", "windir", "ascii text", "file", "indicator", "mitre att", "ck id", "win64", "path", "date", "factory", "hybrid", "cookie", "benjamin" ], "references": [ "djcodychase.com", "https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/mumblehard-botnet-that-targeted-linux-systems-has-been-shut-down Source Trend" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Backdoor:Linux/Mumblehard", "display_name": "Backdoor:Linux/Mumblehard", "target": "/malware/Backdoor:Linux/Mumblehard" }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win.Dropper.XtremeRAT-7708589-0", "display_name": "Win.Dropper.XtremeRAT-7708589-0", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 114, "FileHash-SHA1": 106, "FileHash-SHA256": 3407, "URL": 6246, "domain": 2463, "hostname": 1693, "CVE": 2 }, "indicator_count": 14031, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "793 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.gitcloudcache.com/cache/GyyW6oTE7D", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.gitcloudcache.com/cache/GyyW6oTE7D", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776726372.914463 }