{ "type": "URL", "indicator": "https://www.oursccl.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.oursccl.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3754851643, "indicator": "https://www.oursccl.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f203d9b8cd815d8b5134c", "name": "Unsupported IE 404 account running BotNet Command & Control", "description": "", "modified": "2023-10-30T03:17:17.770000", "created": "2023-10-30T03:17:17.770000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6523344e4adc85389899504c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b296b842740e2f7b2625", "name": "Blacklisted", "description": "", "modified": "2023-10-17T09:00:23.825000", "created": "2023-09-17T08:02:30.711000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b27d63535110fca94a73", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7207, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2258 }, "indicator_count": 15667, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b2196ad4270f3ba15394", "name": "Critical: Pinterest Cyber Espionage", "description": "Attack", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:00:24.928000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b27d63535110fca94a73", "name": "Netsky ", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:02:05.910000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b2196ad4270f3ba15394", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b3a1d09b3acfd89906a5", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:06:57.276000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b296b842740e2f7b2625", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b48d699080b4bfd334c5", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:10:53.311000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b3a1d09b3acfd89906a5", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b4a0406fd5b9839955b0", "name": " ", "description": "", "modified": "2023-10-17T04:04:05.965000", "created": "2023-09-17T08:11:12.583000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Behavior Pattern Match Analysis", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "apple.com. (malicious version/header)", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://www.roseoubleu.fr/panier (phishing)", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "firebaseremoteconfig.googleapis.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "https://www.apple.com/sitemap/", "https://support.Apple.com/de", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "remote.haverhillcc.com (remote hacking)", "https://applepaydayloans.com/", "http://45.159.189.105/bot/regex (Bot Command)", "init.ess.apple.com (remote hacking)", "Data Analytics", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "45.159.189.105 (Command and Control)", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "stagelight.pl (malicious/ pattern match)", "http://www.Apple.com/quicktime/download", "Roksit.net", "www.jamesbgriffinlaw.com (malicious host)", "http://www.Apple.com/quicktime/download/standalone.html", "https://sinister.ly/Thread-Apple-empty-box?page=13", "http://ww1.tsx.org/_fd", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "remote.telegrafix.com (remote hacking)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan.generic", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Ramnit", "Laplasclipper", "Generic.malware", "Relic", "Anonymizer", "Cobalt strike - s0154", "Trojan.ole2.vbs", "Sodin ransomware", "Redline stealer", "Malware.generic", "Malicious.22a4c0", "Tel:trojan:win32/emotet", "W32.hack.generic", "Phish.ab", "Worm:win32/netsky", "Trojan.ransom.generickd", "#lowfi:siga:trojanspy:msil/keylogger", "Maltiverse", "Qvm20.1.8d80.malware", "Backdoor.mokes", "Artemis", "Generic.31fcc75f", "Skynet", "#hstr:hacktool:win32/mimikatz", "Trojanspy", "Ml.generic", "Gen:variant.zusy", "Trojan.html.agent", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Gen:variant.bulz", "Slfper:installcore", "Tel:delphi/obfuscator", "Pws:msil/steam", "Gamehack.dr", "Gen:variant.razy", "Keyloggers", "Adware.dropware", "Sdbot.caoc", "Proxy", "Adwaresig [adw] ml.generic", "Dropper.binder", "Alf:program:opencandy:remnant" ], "industries": [], "unique_indicators": 16536 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/oursccl.com", "whois": "http://whois.domaintools.com/oursccl.com", "domain": "oursccl.com", "hostname": "www.oursccl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f203d9b8cd815d8b5134c", "name": "Unsupported IE 404 account running BotNet Command & Control", "description": "", "modified": "2023-10-30T03:17:17.770000", "created": "2023-10-30T03:17:17.770000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6523344e4adc85389899504c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7203, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2260 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6506b296b842740e2f7b2625", "name": "Blacklisted", "description": "", "modified": "2023-10-17T09:00:23.825000", "created": "2023-09-17T08:02:30.711000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b27d63535110fca94a73", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7207, "CVE": 6, "FileHash-MD5": 283, "FileHash-SHA1": 163, "FileHash-SHA256": 4835, "domain": 915, "hostname": 2258 }, "indicator_count": 15667, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.oursccl.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.oursccl.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642374.2229257 }