{ "type": "URL", "indicator": "https://www.namesilo.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.namesilo.com", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain namesilo.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2138836489, "indicator": "https://www.namesilo.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a1bcbeec65e351e3598c593", "name": "Accessibility Features - CAPE Sandbox", "description": "Malicious actors are increasingly weaponizing accessibility features\u2014such as virtual screen readers, braille terminal emulators, and digital mobility assistance interfaces\u2014as high-utility attack vectors. While these frameworks are legally mandated for vulnerable user populations, they inherently require deep operating system permissions, making them primary targets for exploitation. Malicious API Hooking & Keylogging: Attackers leverage UI Automation and Screen Reader APIs to bypass standard process isolation. By mimicking a legitimate vision-assistance tool, malware can intercept keystrokes, harvest active session credentials, and read sensitive on-screen data (vision prescription/medical records) directly from the application layer. Braille or virtual keyboard input pipeline, transparently altering the user's typed characters to change the semantic meaning of outbound communications or commands. research -tbc.", "modified": "2026-05-31T06:05:57.335000", "created": "2026-05-31T05:49:34.164000", "tags": [ "a domains", "date", "status", "moved", "passive dns", "creation date", "as44273 host", "united", "as15169 google", "gmt content", "meta", "unknown", "title", "body", "encrypt", "serving ip", "address", "status code", "body length", "kb body", "sha256", "sameorigin", "xproxycacheinfo", "nc000000 up", "gmt hostheader", "pragma", "date mon", "gmt setcookie", "httponly server", "connection", "true", "health", "merits hq", "d7282f og", "d7282f", "ieedge og", "value a", "cname", "b body", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "pdf document", "adobe portable", "document format", "thumbprint", "algorithm", "key identifier", "v3 serial", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 48, "IPv4": 32, "URL": 75, "domain": 20, "hostname": 88, "FileHash-SHA256": 8, "email": 3, "Mutex": 1 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66931e9dcfaa71b740418cbf", "name": "Hijacked YouTuber Channel/s Unauthorized Admin | admin2.6cv25r3l.sbs", "description": "Social engineering most likely led to this. This admin is also controlling phones, media, medical systems, etc. I cannot adequately put it in words.", "modified": "2024-08-12T23:00:18.687000", "created": "2024-07-14T00:41:01.944000", "tags": [ "passive dns", "urls", "found", "gmt content", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "error", "code", "domain", "name", "algorithm", "create date", "expiry date", "query time", "united", "update date", "update", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "technology", "dns replication", "form", "server", "request email", "registrar abuse", "verisign", "icann whois", "data", "whois database", "email", "tech", "primary root", "serial number", "sha256 code", "signing ca", "file version", "ca valid", "from", "thumbprint", "vs2008", "domains", "enom", "markmonitor inc", "ip detections", "country", "contacted", "win32 exe", "panmap", "text", "file type", "b file", "hostname", "pulse pulses", "sha1", "sha256", "mitre att", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "possible", "local", "click", "strings", "contact", "http response", "final url", "ip address", "status code", "body length", "kb body", "reportto", "date fri", "unknown", "search", "showing", "as16276", "creation date", "emails", "name servers", "servers", "aaaa", "as15169 google", "gmt cache", "443 ma2592000", "ipv4", "asn as13335", "historical ssl", "threat roundup", "july", "ip check", "dns landscape", "iocs", "referrer", "youtube", "briansabey", "network", "attack", "cybercrime", "retaliation" ], "references": [ "admin2.6cv25r3l.sbs, 6cv25r3l.sbs", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "MALWARE BANKER EVADER", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 595, "hostname": 244, "URL": 400, "FileHash-SHA256": 759, "FileHash-MD5": 78, "FileHash-SHA1": 75, "CIDR": 1, "email": 5 }, "indicator_count": 2157, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "MALWARE BANKER EVADER", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "admin2.6cv25r3l.sbs, 6cv25r3l.sbs", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 3317 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/namesilo.com", "whois": "http://whois.domaintools.com/namesilo.com", "domain": "namesilo.com", "hostname": "www.namesilo.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a1bcbeec65e351e3598c593", "name": "Accessibility Features - CAPE Sandbox", "description": "Malicious actors are increasingly weaponizing accessibility features\u2014such as virtual screen readers, braille terminal emulators, and digital mobility assistance interfaces\u2014as high-utility attack vectors. While these frameworks are legally mandated for vulnerable user populations, they inherently require deep operating system permissions, making them primary targets for exploitation. Malicious API Hooking & Keylogging: Attackers leverage UI Automation and Screen Reader APIs to bypass standard process isolation. By mimicking a legitimate vision-assistance tool, malware can intercept keystrokes, harvest active session credentials, and read sensitive on-screen data (vision prescription/medical records) directly from the application layer. Braille or virtual keyboard input pipeline, transparently altering the user's typed characters to change the semantic meaning of outbound communications or commands. research -tbc.", "modified": "2026-05-31T06:05:57.335000", "created": "2026-05-31T05:49:34.164000", "tags": [ "a domains", "date", "status", "moved", "passive dns", "creation date", "as44273 host", "united", "as15169 google", "gmt content", "meta", "unknown", "title", "body", "encrypt", "serving ip", "address", "status code", "body length", "kb body", "sha256", "sameorigin", "xproxycacheinfo", "nc000000 up", "gmt hostheader", "pragma", "date mon", "gmt setcookie", "httponly server", "connection", "true", "health", "merits hq", "d7282f og", "d7282f", "ieedge og", "value a", "cname", "b body", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "pdf document", "adobe portable", "document format", "thumbprint", "algorithm", "key identifier", "v3 serial", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 48, "IPv4": 32, "URL": 75, "domain": 20, "hostname": 88, "FileHash-SHA256": 8, "email": 3, "Mutex": 1 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66931e9dcfaa71b740418cbf", "name": "Hijacked YouTuber Channel/s Unauthorized Admin | admin2.6cv25r3l.sbs", "description": "Social engineering most likely led to this. This admin is also controlling phones, media, medical systems, etc. I cannot adequately put it in words.", "modified": "2024-08-12T23:00:18.687000", "created": "2024-07-14T00:41:01.944000", "tags": [ "passive dns", "urls", "found", "gmt content", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "error", "code", "domain", "name", "algorithm", "create date", "expiry date", "query time", "united", "update date", "update", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "date", "first", "technology", "dns replication", "form", "server", "request email", "registrar abuse", "verisign", "icann whois", "data", "whois database", "email", "tech", "primary root", "serial number", "sha256 code", "signing ca", "file version", "ca valid", "from", "thumbprint", "vs2008", "domains", "enom", "markmonitor inc", "ip detections", "country", "contacted", "win32 exe", "panmap", "text", "file type", "b file", "hostname", "pulse pulses", "sha1", "sha256", "mitre att", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "possible", "local", "click", "strings", "contact", "http response", "final url", "ip address", "status code", "body length", "kb body", "reportto", "date fri", "unknown", "search", "showing", "as16276", "creation date", "emails", "name servers", "servers", "aaaa", "as15169 google", "gmt cache", "443 ma2592000", "ipv4", "asn as13335", "historical ssl", "threat roundup", "july", "ip check", "dns landscape", "iocs", "referrer", "youtube", "briansabey", "network", "attack", "cybercrime", "retaliation" ], "references": [ "admin2.6cv25r3l.sbs, 6cv25r3l.sbs", "Network Related [ATT&CK ID T1566] Possible high-risk domain detected details Domain: \"admin2.6cv25r3l.sbs\" possible high risk indicator source", "https://hybrid-analysis.com/sample/22530e989e1d0e1121edd79cb620951b0a78dc0a4a1fb7ae07719ebb2f2414b0", "Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "\"Crowdsourced YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst Ruleset: \ufffc YARA ruleset cannot be loaded. Crowdsourced Sigma Rules CRITICAL 0 HIGH 2 MEDIUM 1 LOW 0 Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodo", "CSSR: Matches rule Remote Thread Creation By Uncommon Source Image by Perez Diego (@darkquassar), oscd.community", "CSSR: Matches rule Remote Thread Creation In Uncommon Target Image by Florian Roth (Nextron Systems) Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS IDS rules: Matches rule ET MALWARE Tinba Checkin 2 | Matches rule ET MALWARE [PTsecurity] Tinba Checkin 4", "CS IDS rules: Matches rule PROTOCOL-ICMP Unusual PING detected Matches rule PROTOCOL-ICMP traceroute", "CS IDS rules: Matches rule (eth) truncated ethernet header Matches rule PROTOCOL-ICMP PING Matches rule PROTOCOL-ICMP Echo Reply", "MALWARE BANKER EVADER", "CSR YARA rules: Matches rule aPLib_decompression from ruleset aPLib_decompression by @r3c0nst" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 595, "hostname": 244, "URL": 400, "FileHash-SHA256": 759, "FileHash-MD5": 78, "FileHash-SHA1": 75, "CIDR": 1, "email": 5 }, "indicator_count": 2157, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692cf0e2273bb06aa43e43c", "name": "Banker: Through The Nights - YouTube | Errors |", "description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.", "modified": "2024-08-12T18:02:56.458000", "created": "2024-07-13T19:01:34.484000", "tags": [ "united", "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "sha1", "name server", "date", "hybrid", "general", "click", "strings", "contact", "low risk", "domain", "no malware", "found", "site", "ip address", "google network", "unknown", "low security", "risk", "hacked", "protect", "path", "secure", "httponly", "secchuabitness", "secchuamodel", "secchuawow64", "secchuaplatform", "samesitenone", "http response", "final url", "status code", "body length", "kb body", "pragma", "song culture", "tsara lynn", "culture", "chime sa", "mediawarning", "youtube twitter", "jess", "tsara brashears", "zafira songs", "youtube og", "hope", "html info", "meta tags", "data", "v3 serial", "number", "cus ogoogle", "trust", "llc cngts", "validity", "subject public", "key info", "key algorithm", "name", "whois lookup", "create date", "expiry date", "query time", "update date", "update", "passive dns", "gmt content", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "urls", "files", "related pulses", "error", "code", "algorithm", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 343, "SSLCertFingerprint": 8, "URL": 333, "domain": 69, "hostname": 165 }, "indicator_count": 924, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "657 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.namesilo.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.namesilo.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780281518.2100027 }