{ "type": "URL", "indicator": "https://www.neurosky.com.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.neurosky.com.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3664596360, "indicator": "https://www.neurosky.com.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "65caca061fbb7674de86ec7b", "name": "Invicta Stealer", "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com", "modified": "2024-03-14T01:01:47.115000", "created": "2024-02-13T01:46:46.969000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "resolutions", "communicating", "whois whois", "subdomains", "referrer", "problems", "core", "startpage", "june", "passive dns", "urls", "domain", "otx telemetry", "body", "gmt content", "x adblock", "scan endpoints", "all octoseek", "hostname", "date", "encrypt", "threat roundup", "october", "november", "march", "february", "apple ios", "april", "tsara brashears", "copy", "hacktool", "phishing", "metro", "crypto", "installer", "awful", "united", "unknown", "germany unknown", "search", "servers", "registrar", "name servers", "status", "next", "moved", "address", "creation date", "showing", "ipv4", "pulse submit", "url analysis", "accept", "aaaa", "record type", "ttl value", "html document", "ascii text", "anchor hrefs", "hrefs", "anchor", "anchor href", "threat", "paste", "iocs", "analyze", "hostnames", "url https", "sample", "server", "code", "registry domain", "dnssec", "registrar url", "registrar whois", "iana id", "registrar abuse", "tech email", "fake update", "utilizes new", "idat loader", "stealc", "urls http", "isadultno", "adposbottom", "adformatplain", "adnetworks", "quasar rat", "ip detections", "country", "cellbrite", "execution", "pegasus", "malware", "agent tesla", "attack", "ukraine", "silent", "invicta stealer", "redline stealer", "orcus rat", "files", "germany asn", "as196763", "a domains", "redacted for", "record value", "for privacy", "emails", "name", "contacted urls", "bundled", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "pulse pulses", "location united", "open", "cookie", "customer", "0 report", "sea alt", "certificate", "#targeting", "#discordwallets", "house.mo.gov" ], "references": [ "https://www.facebooksunglassshop.com/", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "edgedl.me.gvt1.com", "Link found in https://house.mo.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Invicta Stealer", "display_name": "Invicta Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Orcus RAT", "display_name": "Orcus RAT", "target": null }, { "id": "Silent", "display_name": "Silent", "target": null } ], "attack_ids": [], "industries": [ "Government", "Civil Society", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 145, "FileHash-SHA256": 3848, "CVE": 3, "URL": 8291, "domain": 2541, "hostname": 3034, "email": 13 }, "indicator_count": 18028, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a74460eb0f3e988a29", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:31.974000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a90db61fbeb599b736", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:33.470000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558408d453f2ee72cb9537e", "name": "frigostInjector.exe", "description": "", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T04:41:49.188000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "655823a90db61fbeb599b736", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657099a94208c92832a9ae93", "name": "104.26.15.190 - emotet stuff within surprisngly", "description": "", "modified": "2023-12-06T15:56:25.288000", "created": "2023-12-06T15:56:25.288000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 270, "domain": 219, "hostname": 286, "CVE": 1, "URL": 873, "FileHash-MD5": 23, "FileHash-SHA1": 23 }, "indicator_count": 1695, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643bff06e4d76aeeef0dfc53", "name": "104.26.15.190 - emotet stuff within surprisngly", "description": "", "modified": "2023-04-16T13:58:30.873000", "created": "2023-04-16T13:58:30.873000", "tags": [ "ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net", "104.26.15.190" ], "references": [ "gb346a563ff624be090f8a545b88fc22d36e315bad47d4edc96fa67ef2e15e6c4 2.json - 104.26.15.190", "https://www.virustotal.com/graph/gb346a563ff624be090f8a545b88fc22d36e315bad47d4edc96fa67ef2e15e6c4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet - S0367", "display_name": "Emotet - S0367", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 286, "URL": 873, "FileHash-SHA256": 270, "domain": 219, "IPv4": 30, "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 23 }, "indicator_count": 1725, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643aa96c0a17c522a73e3482", "name": "neurosky.com.cn", "description": "", "modified": "2023-04-15T13:47:28.396000", "created": "2023-04-15T13:41:00.299000", "tags": [ "neurosky", "https://www.virustotal.com/graph/gaccc12b736de4813b7c896a823f2ba" ], "references": [ "https://www.virustotal.com/graph/gaccc12b736de4813b7c896a823f2ba61901af74c07b64173be6ccafef1f02b34" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1955, "hostname": 760, "FileHash-SHA256": 769, "domain": 328, "IPv4": 67, "FileHash-MD5": 56, "FileHash-SHA1": 56, "SSLCertFingerprint": 2 }, "indicator_count": 3993, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "162.159.208.8", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "edgedl.me.gvt1.com", "https://tulach.cc/socrative/internal.js", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "http://alohatube.xyz/search/tsara-brashears/", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "http://alohatube.xyz/search/tsara-brashears", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "https://www.sweetheartvideo.com/tsara-brashears/", "gb346a563ff624be090f8a545b88fc22d36e315bad47d4edc96fa67ef2e15e6c4 2.json - 104.26.15.190", "https://www.virustotal.com/graph/gaccc12b736de4813b7c896a823f2ba61901af74c07b64173be6ccafef1f02b34", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "https://gr.pinterest.com/emreimer/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "webdisk.thehomemakers.nl", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "wallpapers-nature.com", "https://gujarati.ent24x7.comb [RAT]", "https://www.sweetheartvideo.com/tsara-brashears", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "https://www.facebooksunglassshop.com/", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "http://neurosky.jp", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "https://www.virustotal.com/graph/gb346a563ff624be090f8a545b88fc22d36e315bad47d4edc96fa67ef2e15e6c4", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "http://www.pinterest.com/ideas/songwriting/945635263947/", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "https://www.pornhub.com/video/search?search=tsara+brashears", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://alohatube.xyz/search/tsara-brashears", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "http://45.159.189.105/bot/regex", "Link found in https://house.mo.com", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Milum", "Cobalt strike", "Neworder.doc", "Generic", "Trojanspy", "Et", "Hacktool", "Orcus rat", "Redline stealer", "Pegasus", "Invicta stealer", "Emotet", "Silent", "Gc", "Maltiverse", "Trojan:vbs/metasploitvbscmdstager", "Webtoolbar", "Quasar rat", "Emotet - s0367" ], "industries": [ "Government", "Telecommunications", "Food", "Civil society", "Media", "Health", "Technology" ], "unique_indicators": 81024 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/neurosky.com.cn", "whois": "http://whois.domaintools.com/neurosky.com.cn", "domain": "neurosky.com.cn", "hostname": "www.neurosky.com.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "65caca061fbb7674de86ec7b", "name": "Invicta Stealer", "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com", "modified": "2024-03-14T01:01:47.115000", "created": "2024-02-13T01:46:46.969000", "tags": [ "ssl certificate", "whois record", "contacted", "historical ssl", "resolutions", "communicating", "whois whois", "subdomains", "referrer", "problems", "core", "startpage", "june", "passive dns", "urls", "domain", "otx telemetry", "body", "gmt content", "x adblock", "scan endpoints", "all octoseek", "hostname", "date", "encrypt", "threat roundup", "october", "november", "march", "february", "apple ios", "april", "tsara brashears", "copy", "hacktool", "phishing", "metro", "crypto", "installer", "awful", "united", "unknown", "germany unknown", "search", "servers", "registrar", "name servers", "status", "next", "moved", "address", "creation date", "showing", "ipv4", "pulse submit", "url analysis", "accept", "aaaa", "record type", "ttl value", "html document", "ascii text", "anchor hrefs", "hrefs", "anchor", "anchor href", "threat", "paste", "iocs", "analyze", "hostnames", "url https", "sample", "server", "code", "registry domain", "dnssec", "registrar url", "registrar whois", "iana id", "registrar abuse", "tech email", "fake update", "utilizes new", "idat loader", "stealc", "urls http", "isadultno", "adposbottom", "adformatplain", "adnetworks", "quasar rat", "ip detections", "country", "cellbrite", "execution", "pegasus", "malware", "agent tesla", "attack", "ukraine", "silent", "invicta stealer", "redline stealer", "orcus rat", "files", "germany asn", "as196763", "a domains", "redacted for", "record value", "for privacy", "emails", "name", "contacted urls", "bundled", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "pulse pulses", "location united", "open", "cookie", "customer", "0 report", "sea alt", "certificate", "#targeting", "#discordwallets", "house.mo.gov" ], "references": [ "https://www.facebooksunglassshop.com/", "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518", "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf", "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==", "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]", "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]", "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb", "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20", "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com", "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote", "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev", "edgedl.me.gvt1.com", "Link found in https://house.mo.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Invicta Stealer", "display_name": "Invicta Stealer", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Orcus RAT", "display_name": "Orcus RAT", "target": null }, { "id": "Silent", "display_name": "Silent", "target": null } ], "attack_ids": [], "industries": [ "Government", "Civil Society", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 153, "FileHash-SHA1": 145, "FileHash-SHA256": 3848, "CVE": 3, "URL": 8291, "domain": 2541, "hostname": 3034, "email": 13 }, "indicator_count": 18028, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f1860d3062a8cb715ee358", "name": "United Healthcare sponsored Healthy Benefits Plus Attack warning - Contactec", "description": "", "modified": "2024-03-13T10:55:09.654000", "created": "2024-03-13T10:55:09.654000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656d71fbc00b370fde721350", "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656c2345912bea54c4eeb718", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber attack", "description": "I received a request regarding AIG subsidiary United healthcare medicare sponsored healthy benefit plus card. Benefits provided to elderly, disabled SSDI recipients who have lower incomes. I learned 200+ were affected. Remote attacks, apple iOS, phi, health, vision, dental, food beneficiaries. Command and Control server. Research reveals a be deeply impacted target.\nbrowser.events.data.msn.com\nevents-sandbox.data.msn.com\n192.229.211.108 (Virus Network)\nassetscdn.isappcloud.com\nnr-data.net (Apple Private Data Collection)\nphotos1.blogger.com. (Malware site)\nhttp://www.tsarabrashears.com\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \nhttps://www.tsarabrashears.com\ntracker.adxpansion.com access tracker\ntsarabrashears.com\ntt.milehighmedia.com", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-03T06:42:13.993000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": null, "export_count": 121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656d71fbc00b370fde721350", "name": "United Healthcare sponsored Healthy Benefits Plus | Apple cyber ", "description": "", "modified": "2024-01-02T06:03:26.454000", "created": "2023-12-04T06:30:19.057000", "tags": [ "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "cisco umbrella", "site", "alexa top", "million", "safe site", "malware", "alexa safe", "alexa", "malicious url", "team malware", "phishtank", "united", "cnc zeus", "tracker", "cnc server", "malware site", "malicious site", "engineering", "telefonica peru", "phishing site", "zeus", "pony", "zbot", "facebook", "andromeda", "emotet", "download", "team", "pattern match", "ascii text", "file", "appdata", "windows nt", "date", "mitre att", "misc attack", "ck id", "unknown", "click", "hybrid", "general", "twitter", "strings", "class", "generator", "critical", "error", "heur", "unsafe", "iframe", "artemis", "agent", "downldr", "presenoker", "riskware", "opencandy", "cleaner", "wacatac", "nircmd", "swrort", "tiggre", "filetour", "conduit", "crack", "exploit", "phishing", "xrat", "xtrat", "coinminer", "acint", "systweak", "behav", "genkryptik", "installpack", "fusioncore", "raccoon", "redline stealer", "metastealer", "azorult", "service", "runescape", "bank", "softcnapp", "installcore", "unruy", "patcher", "adload", "exit", "traffic", "et tor", "known tor", "relayrouter", "node tcp", "ice fog", "anonymizer", "ssl certificate", "whois record", "whois whois", "historical ssl", "contacted", "whois domain", "referrer", "contacted urls", "communicating", "resolutions", "roundup", "october", "skynet", "korplug", "attack", "possible", "hacktool", "colibri loader", "blacklist https", "suppobox", "cyber threat", "bambernek", "malicious", "ramnit", "zpevdo", "cnc ransomware", "threats et", "feodo", "formbook", "nymaim", "cve201711882", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers via", "pragma", "date thu", "solutran", "html info", "title healthy", "benefits plus", "easy", "access", "health benefits", "meta tags", "google play", "plus", "apple ios", "november", "zanubis latam", "banker ip", "unauthorized", "devoted high", "android", "generic malware", "dnspionage", "fri may", "first", "generic", "blacklist http", "site top", "site safe", "million alexa", "blacknet rat", "stealer", "cobalt strike", "suspicious", "win64", "show technique", "ck matrix", "accept", "local", "filerepmetagen", "redirector", "script", "adware", "maltiverse", "utc submissions", "submitters", "corporation", "cloudflarenet", "lg dacom", "attinternet4", "bcminfonetas", "google", "tucows", "level3", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "iobit", "dropper", "trojanx", "webshell", "noname057", "webtoolbar", "trojanspy", "microsoft", "union", "paypal", "ransomware", "virut", "root ca", "authority", "temp", "ecc root", "span", "body", "refresh", "tools", "mail spammer", "et cins", "active threat", "reputation ip", "cins active", "poor reputation", "ip tcp", "status url", "nixi special", "gandi sas", "dynadot llc", "internet se", "namecheap inc", "ionos se", "dynadot", "evoplus ltd", "arsys internet", "enom", "ip detections", "country", "medicare", "apple private", "data collection", "hostname", "url http", "author avatar", "apple", "hours ago", "ssdi", "command", "value", "value1", "extra", "currentversion", "partnerid0", "username", "gamesessionid", "false", "proxy", "firehol", "fakealert", "asyncrat", "applicunwnt", "april", "threat roundup", "368600", "320700", "startpage" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan", "China", "United States of America", "Singapore" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" } ], "industries": [ "Health", "Food" ], "TLP": "green", "cloned_from": "656c2345912bea54c4eeb718", "export_count": 126, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2265, "FileHash-SHA1": 1101, "FileHash-SHA256": 4574, "domain": 2209, "hostname": 2181, "URL": 8911, "CVE": 20, "email": 1, "URI": 1 }, "indicator_count": 21263, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "882 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a74460eb0f3e988a29", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:31.974000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a90db61fbeb599b736", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:33.470000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558408d453f2ee72cb9537e", "name": "frigostInjector.exe", "description": "", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T04:41:49.188000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "655823a90db61fbeb599b736", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.neurosky.com.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.neurosky.com.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780402130.979835 }