{ "type": "URL", "indicator": "https://www.mailplus.co.uk", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.mailplus.co.uk", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3811256904, "indicator": "https://www.mailplus.co.uk", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c95b12318dd62bdfbd29e", "name": "sorting \u2026", "description": "", "modified": "2025-08-19T06:05:20.676000", "created": "2025-07-20T07:07:29.508000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "files", "domain", "passive dns", "urls", "files ip", "address", "location united", "asn as14618", "less whois", "registrar", "et trojan", "msie", "windows nt", "show", "search", "entries", "unknown", "ascii text", "medium", "delete", "copy", "virustotal", "write", "next", "trojandropper", "malware", "asn as16509", "read c", "port", "destination", "rgba", "memcommit", "dock", "execution", "default", "unicode", "crlf line", "united", "xport", "module load", "t1129", "icmp traffic", "high", "cmd c", "t1055", "http", "ipv4 add", "pulse submit", "url analysis", "reverse dns", "america flag", "next associated", "showing", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "flag", "country", "markmonitor", "name server", "date", "contacted hosts", "process details", "extraction", "data upload", "extri", "include review", "exclude sugges", "typ hos", "ipv4", "data", "copy sha256", "copy sha1", "copy md5", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1596, "hostname": 2143, "FileHash-MD5": 73, "FileHash-SHA1": 48, "FileHash-SHA256": 422, "URL": 5044 }, "indicator_count": 9326, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c85b517922396d1669fe8", "name": "\u2014\u2014\u2014\u2014\u2014-", "description": "", "modified": "2025-08-19T05:03:06.173000", "created": "2025-07-20T05:59:17.361000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "expiration", "no expiration", "email admin", "url http", "url https", "showing", "entries", "overview domain", "files ip", "address", "location united", "asn as14618", "less whois", "registrar", "markmonitor", "pulses", "related tags", "ips certificate", "key identifier", "x509v3 subject", "full name", "domain status", "data", "v3 serial", "number", "cus odigicert", "inc cndigicert", "code", "domain", "resolver ip", "global g2", "tls rsa", "sha256", "searc es", "data upload", "extraction", "present may", "present dec", "moved", "certificate", "body", "address domain", "present jul", "present jun", "present jan", "present sep", "present feb", "files", "ip address", "location canada", "asn as396982", "failed", "include review", "exclude sugges", "uny inuuue", "find s", "typ hostname", "o url", "extr data", "type", "find", "show", "types", "browse t", "include data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2400, "domain": 929, "email": 4, "hostname": 1630, "FileHash-SHA256": 211, "FileHash-SHA1": 2, "FileHash-MD5": 1 }, "indicator_count": 5177, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "IP : 54.192.29.164", "cdn-185-199-108-133.github.com", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "www.anyxxxtube.net", "YARA Rules", "nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "frostwire-5.3.9.windows.exe", "103.246.145.111 [malware]", "REFERENCE: https://goo.gl/hXbwiV", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "x.ss2.us", "185.199.108.133", "AS : AS16509 Amazon.com, Inc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Generic", "Babulya/collectorstealer user-agent", "Worm:win32/autorun!atmn", "Magic", "Win.malware.generic-9820446-0", "Virtool", "Malvertizing", "Alf:heraklezeval:trojan:win32/agenttesla!rfn", "Alf:base64encodefunctionmonitorw", "Hacktool", "Adware.opencandy", "Virtool:msil/obfuscator.bv", "!#hstr:win32/spectorsoft", "Alf:hstr:hacktool:extremeinjector.s01", "Multios.coinminer.miner-6781728-2", "185.199.108.133.malware_host", "Emotet", "Win32/ispen badnews fake user-agent", "Win.trojan.emotet-9850453-0" ], "industries": [], "unique_indicators": 45962 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mailplus.co.uk", "whois": "http://whois.domaintools.com/mailplus.co.uk", "domain": "mailplus.co.uk", "hostname": "www.mailplus.co.uk" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68858e8244c8db854e8947c1", "name": "Goodreads Malware", "description": "Goodreads is an older book review website. I found Goodreads[.]com links botnet joining Pulse. Just curious. #goodreads #malware #goodreads_botnet_join #thismightbeabotnet\n#gogray #purpleteamit #malware \n#thismightbeabotnet #ineedtolearnmore", "modified": "2025-08-26T01:03:19.405000", "created": "2025-07-27T02:27:14.517000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "ip address", "related nids", "files location", "united", "flag united", "present jun", "present may", "present apr", "search", "moved", "creation date", "record value", "date", "body", "meta", "indicator role", "title added", "active related", "pulses url", "memcommit", "value1", "partnerid4146", "username", "gamesessionid", "port", "destination", "regsetvalueexa", "mozilla", "write", "persistence", "execution", "malware", "copy", "next", "process32nextw", "show", "entries", "module load", "t1129", "intel", "ms windows", "showing", "t1045", "win32", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "mitre att", "ck techniques", "evasion att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "size", "pattern match", "ascii text", "null", "error", "starfield", "click", "hybrid", "local", "path", "strings", "refresh", "tools", "onload", "span", "smbds ipc", "ms17010", "msf style", "probe ms17010", "generic flags", "yara detections", "nrv2x", "upxoepplace" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 155, "hostname": 1237, "FileHash-SHA256": 1141, "domain": 574, "URL": 4593, "FileHash-SHA1": 139, "email": 1, "SSLCertFingerprint": 8 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c95b12318dd62bdfbd29e", "name": "sorting \u2026", "description": "", "modified": "2025-08-19T06:05:20.676000", "created": "2025-07-20T07:07:29.508000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "files", "domain", "passive dns", "urls", "files ip", "address", "location united", "asn as14618", "less whois", "registrar", "et trojan", "msie", "windows nt", "show", "search", "entries", "unknown", "ascii text", "medium", "delete", "copy", "virustotal", "write", "next", "trojandropper", "malware", "asn as16509", "read c", "port", "destination", "rgba", "memcommit", "dock", "execution", "default", "unicode", "crlf line", "united", "xport", "module load", "t1129", "icmp traffic", "high", "cmd c", "t1055", "http", "ipv4 add", "pulse submit", "url analysis", "reverse dns", "america flag", "next associated", "showing", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "flag", "country", "markmonitor", "name server", "date", "contacted hosts", "process details", "extraction", "data upload", "extri", "include review", "exclude sugges", "typ hos", "ipv4", "data", "copy sha256", "copy sha1", "copy md5", "sha1", "sha256", "size", "beginstring", "segoe ui", "null", "type data", "refresh", "body", "span", "hybrid", "general", "click", "strings", "error", "tools", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1596, "hostname": 2143, "FileHash-MD5": 73, "FileHash-SHA1": 48, "FileHash-SHA256": 422, "URL": 5044 }, "indicator_count": 9326, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c85b517922396d1669fe8", "name": "\u2014\u2014\u2014\u2014\u2014-", "description": "", "modified": "2025-08-19T05:03:06.173000", "created": "2025-07-20T05:59:17.361000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "expiration", "no expiration", "email admin", "url http", "url https", "showing", "entries", "overview domain", "files ip", "address", "location united", "asn as14618", "less whois", "registrar", "markmonitor", "pulses", "related tags", "ips certificate", "key identifier", "x509v3 subject", "full name", "domain status", "data", "v3 serial", "number", "cus odigicert", "inc cndigicert", "code", "domain", "resolver ip", "global g2", "tls rsa", "sha256", "searc es", "data upload", "extraction", "present may", "present dec", "moved", "certificate", "body", "address domain", "present jul", "present jun", "present jan", "present sep", "present feb", "files", "ip address", "location canada", "asn as396982", "failed", "include review", "exclude sugges", "uny inuuue", "find s", "typ hostname", "o url", "extr data", "type", "find", "show", "types", "browse t", "include data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2400, "domain": 929, "email": 4, "hostname": 1630, "FileHash-SHA256": 211, "FileHash-SHA1": 2, "FileHash-MD5": 1 }, "indicator_count": 5177, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.mailplus.co.uk", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.mailplus.co.uk", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776704058.1439118 }