{ "type": "URL", "indicator": "https://www.midamericamuseum.org/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.midamericamuseum.org/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4082150826, "indicator": "https://www.midamericamuseum.org/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 11311 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/midamericamuseum.org", "whois": "http://whois.domaintools.com/midamericamuseum.org", "domain": "midamericamuseum.org", "hostname": "www.midamericamuseum.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867624b645b1724745d6584", "name": "BotX | Multiple attack affects \u2018alleged\u2019 Workforce agency", "description": "A \u2018Unnamed\u2019 workforce agency of questionable legitimacy.\nSerious social engineering. #financial. #pii #phi #gathering. \n#Win32:BotX-gen\\ [Trj]\nIDS Detections\n\u2022 TLS Handshake Failure\nAlerts:\n#dead_host\n#network_icmp\n#nolookup_communication\n#modifies_proxy_wpad\n#allocates_rwx\n#injection_process_search\n#protection_rx\n#antivm_network_adapters\n#process_interest\n#antivm_queries_computername\n#checks_debugger\n#pe_unknown_resource\n#injection #apple #remote #rat #dns #virus #malware #bot_gen #attack #masquerading #monitored_target #staged #worforce #whatstrue #withu4ever\n#hoax #banker #ransom #malvertising #innerparty #overwatch #endgame #mirai #virtool #trojans #privilege #meritless #apple \nWeirdness: \n\u2022 simswap.in (mirai)\n\u2022 twitter\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\ngirlsdoporn.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\n\u2022 apple-dns.net\n\u2022 pornhub.com \u2022 www.pornhub.com #1984\n#whatdidtargetdo? #preemptive\n#Team8 wants to know.", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:10:35.672000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6867653f0b2d5f4f1abeb55c", "name": "Graphite Mercenary Spyware? Skynet- I failed to adequately research prior pulse. Uh\u2026.hi!", "description": "", "modified": "2025-08-03T04:01:39.496000", "created": "2025-07-04T05:23:11.056000", "tags": [ "utc ua124682679", "google tag", "utc gr8frkfel9k", "utc gjycztvzbg0", "utc gfjlg9p3ltd", "utc g8dm6znp88p", "utc gvev1mxhhbn", "utc na", "palco", "home", "palco og", "palco article", "wordpress", "elementor", "status code", "body length", "kb body", "rdap database", "server", "date", "country", "dnssec", "code", "registrar abuse", "registrar iana", "registrar url", "registrar whois", "registrar", "ttl value", "language", "html document", "ascii text", "doctype", "network", "solutions", "email", "lookups", "for privacy", "united", "creation date", "overview domain", "passive dns", "urls", "files ip", "address", "location united", "asn as13335", "meta", "accept", "present mar", "date checked", "url hostname", "server response", "ip address", "google safe", "results jul", "present jun", "present apr", "entries", "urls show", "results jun", "script urls", "a domains", "moved", "encrypt", "search", "body", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list", "gmt content", "certificate", "results jan", "present sep", "present may", "present jul", "backdoor", "next associated", "win32", "error", "present", "response ip", "address google", "safe browsing", "associated urls", "show", "results may", "virgin islands", "unknown soa", "unknown ns", "domain", "aaaa", "status", "record value", "name servers", "afe browsing", "gmt setcookie", "path", "vfrbuk1", "lefasbor1", "formula", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "malware", "copy", "present showing", "files show", "date hash", "avast avg", "showing", "present feb", "virtool", "datacenter", "hosting", "vps reverse", "america flag", "america asn", "graphite", "skynet", "win64", "expiration date", "domain add", "pulse pulses", "files", "present nov", "present aug", "kryptikxp", "cname", "whois registrar", "markmonitor", "pulses", "tags", "related tags", "more indicator", "default", "regsetvalueexa", "process32nextw", "regdword", "high", "medium", "todo", "write", "belize", "overview ip", "location belize", "asn as210083", "privex", "alone email", "body doctype", "gmt server", "content type", "t1055", "discovery", "read", "createnowindow", "dock", "push", "motd", "front", "duster" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6867624b645b1724745d6584", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2054, "hostname": 368, "domain": 251, "CIDR": 1, "FileHash-MD5": 492, "FileHash-SHA1": 522, "URL": 508, "email": 8, "CVE": 1 }, "indicator_count": 4205, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.midamericamuseum.org/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.midamericamuseum.org/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780255715.447979 }