{ "type": "URL", "indicator": "https://www.propertypartner.co/s", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.propertypartner.co/s", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2827098117, "indicator": "https://www.propertypartner.co/s", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b157718e7ddf71765db", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:33.521000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b1cd80668c22e7e1c7a", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:40.078000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708c01dca4e6c505e4fca0", "name": "Hostgator - whitelisted", "description": "", "modified": "2023-12-06T14:58:09.135000", "created": "2023-12-06T14:58:09.135000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 692, "hostname": 1339, "domain": 1260, "URL": 4622, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ed1b2c24f71d408f58a", "name": "lvc.org", "description": "", "modified": "2023-12-06T14:01:52.611000", "created": "2023-12-06T14:01:52.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 3051, "FileHash-SHA256": 524, "URL": 14286, "domain": 1501, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "625f112112bb456382bee7c9", "name": "Hostgator - whitelisted", "description": "Firing Rule, IRF.util.com, is set to go live on the internet after it was triggered by a new rule, but if it is not already in place, it will not load.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T19:44:33.964000", "tags": [ "webkitkeyframes", "helvetica neue", "helvetica", "arial", "45deg", "100vw", "typetext", "copyright", "closure library", "affiliatepage", "tospage", "banner", "iab2", "acceptall", "rejectall", "genven", "expecting iab", "iab tcf", "oldcctid", "newdomainid", "unknown", "checkbox", "date", "component", "apptree", "hnull", "fcee", "typeof t", "typeerror", "qss7", "error", "promise", "hfunction", "typeof e", "rfc3986", "string", "array", "rfc1738", "object", "sr1t", "typeof symbol", "animation", "null", "rnull", "forwardref", "typeof n", "nullt", "cxlc", "dptw", "dtha", "gdzw", "gurp", "w0b4", "kjy9", "uigm", "ve6h", "event", "currency", "currencysymbol", "ucvw", "ofunction", "ocsf", "xfunction", "urlsearchparams", "open", "symbol", "nfunction", "lfunction", "ufunction", "typeof window", "typeof self", "hj", "09af", "regexp", "irmstevent", "bad expr", "hotjar", "email", "telefon", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "n color", "number", "customevent", "n strictly", "hostn host", "button", "cookie tracking", "close", "campaign", "decision", "action", "page", "controller", "must", "visitor", "groupstart", "info", "obsolete", "false", "reduceright", "portland", "trackevent", "query", "u003cu003e", "trackpageview", "code", "path", "click", "derek", "void", "gsxr89skrrs", "r300", "uint8array", "typeof d", "caca", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "boolean", "function", "service", "phonenumber", "ver0", "tag0", "extdata0", "ua ch", "invalid", "which", "thank", "hostgator", "poll", "primary intent", "iwe didn", "f39c11", "team", "script", "array int8array", "caregexp", "legacy", "irfcd", "error setting", "irgbd", "outer", "dynamic tag", "variable", "rule", "expr", "inline script" ], "references": [ "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.googleadservices.com/pagead/conversion_async.js", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "https://bat.bing.com/bat.js", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "https://cdn3.optimizely.com/js/geo4.js", "https://cdn.optimizely.com/js/13477600374.js", "https://bat.bing.com/p/action/5797759.js", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1339, "URL": 4622, "domain": 1260, "FileHash-SHA256": 692, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621927dd57ee9ed86aeb9cb4", "name": "CambridgeAnalytica.org", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T19:02:53.023000", "tags": [ "win32 exe", "scott hanselman", "win32 dll", "llc creation", "date", "passive dns", "subdomains", "detections type", "name", "rich text", "format", "music", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA256": 335, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213ffb8b8b4c14bf3c0420f", "name": "lvc.org", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T21:10:16.849000", "tags": [ "algorithm", "key identifier", "x509v3 subject", "solutions", "llc creation", "date", "categories", "ranks rank", "value ingestion", "time majestic", "umbrella", "masking enabled", "win32 exe", "server", "email", "registrar abuse", "practice", "gre premium", "code", "registrar url", "score" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14286, "hostname": 3051, "domain": 1501, "FileHash-SHA256": 524, "CVE": 2, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61e2733e9e57250b5725ab5a", "name": "TrueCar.com", "description": "", "modified": "2022-02-14T00:00:26.279000", "created": "2022-01-15T07:09:50.416000", "tags": [ "android", "win32 exe", "key identifier", "win32 dll", "x509v3 subject", "server", "date", "registrar abuse", "algorithm", "markmonitor", "format", "impact", "first", "text", "email", "type name", "portable", "adguard premium", "usus", "mozilla firefox", "technology", "microsoft", "security", "subdomains", "threatseeker", "sophos", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "statvoo", "cisco umbrella", "dns records", "record type", "ttl value", "msms94514764", "data", "v3 serial", "number", "issuer", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "domain status", "contact phone", "registrar", "ca creation", "dnssec", "domain name", "us registrant", "links https", "path", "submission", "httponly", "expiressat", "samesitelax", "details links", "vehicles comodo", "history first", "analysis" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17071, "hostname": 4203, "FileHash-SHA256": 1156, "domain": 4253, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 412, "modified_text": "1567 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://bat.bing.com/p/action/5797759.js", "https://cdn3.optimizely.com/js/geo4.js", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://connect.facebook.net/en_US/fbevents.js", "https://cdn.optimizely.com/js/13477600374.js", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "http://www.tabxexplorer.com/lenovo", "IDS Detections Zusy Variant CnC Checkin", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://bat.bing.com/bat.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "Registry: Read - DisableUserModeCallbackFilter", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "Stack pivoting was detected when using a critical API", "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.googleadservices.com/pagead/conversion_async.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Artro", "Win.malware.generickdz-9982080-0", "!autoit_3_00_third_party", "Darkcomet", "Hj", "Reduceright", "Win.malware.autoit-7732194-0", "Trojan:win32/zusy", "#lowfi:hstr:autoititv3modguidmark" ], "industries": [ "Civil society", "Telecommunications", "Technology" ], "unique_indicators": 86535 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/propertypartner.co", "whois": "http://whois.domaintools.com/propertypartner.co", "domain": "propertypartner.co", "hostname": "www.propertypartner.co" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b157718e7ddf71765db", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:33.521000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e24b1cd80668c22e7e1c7a", "name": "Lenovo Tablet K series Remotely Connects & controls Devices", "description": "Lenovo K series Tablet resource used to connect to thermostat devices and develops full CnC of victims network. All types of malicious abuses from dumping to spyware, tracking, enabling device features, listening to room. Creates zombie devices. Zusy: Man-in-the-middle attacks, injection, stealer.\n | AutoIt_3_00_Third_Party: treat actors dependent on various environments to load maware, when exploited, user interface , scripting, malicious activity possible by hidden users", "modified": "2024-03-31T15:02:37.900000", "created": "2024-03-01T21:39:40.078000", "tags": [ "url http", "search", "lenovo type", "indicator role", "title added", "active related", "pulses", "status", "united", "unknown", "creation date", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "date", "next", "meta", "tabx explorer", "urls", "hichina", "record value", "entries", "explorer", "target", "china unknown", "as4812 china", "as58461", "as4808 china", "smartchat", "vary", "accept encoding", "ipv4", "pulse submit", "dns replication", "as4837 china", "aaaa", "as9808 china", "whitelisted", "nxdomain", "as56047 china", "as58542 tianjij", "ns nxdomain", "body", "pe32", "intel", "ms windows", "windows activex", "control panel", "item", "win16 ne", "pe32 compiler", "exe32", "compiler", "javascript", "win32 exe", "kb file", "files", "file type", "javascript code", "windows", "text", "web open", "font format", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "connection", "date fri", "contacted", "whois record", "pe resource", "execution", "communicating", "siblings", "referrer", "whois whois", "bundled", "resolutions", "contacted urls", "siblings domain", "parent domain", "ssl certificate", "historical ssl", "whois domain", "set cookie", "gmt path", "url analysis", "find", "service", "as15169 google", "as9009 m247", "as14061", "as16276", "name servers", "alienvault", "open threat", "yara rule", "high", "show", "windows nt", "win64", "khtml", "gecko", "accept", "copy", "write", "pecompact", "february", "packer", "delphi", "win32", "malware", "zusy", "local", "json", "delete c", "ascii text", "suspicious", "cookie", "jpeg image", "exif standard", "tiff image", "autoit", "markus", "april", "dropper", "default", "delete", "switch", "as20940", "dynamicloader", "medium", "http", "write c", "ciphersuite", "a li", "amazon ses", "moved", "pepo campaigns", "advanced email", "twitter", "span", "servers", "authority", "win32upatre feb", "artro", "apple", "typosquatting", "botnet", "network", "advertising botnet", "adware", "mining", "spyware", "cnc", "mbs" ], "references": [ "http://www.tabxexplorer.com/lenovo", "114.80.179.242 \u2022 61.170.80.193 [malware hosting]", "IDS Detections Zusy Variant CnC Checkin", "IDS Signatures: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\t192.168.122.30\t104.18.12.173", "Registry: Read - DisableUserModeCallbackFilter", "OTX Alerts: procmem_yara injection_inter_process \u2022 ransomware_file_modifications \u2022 stack_pivot stealth_file antiav_detectfile \u2022 deletes_self", "OTX Alerts: cape_extracted_content \u2022 infostealer_cookies \u2022 recon_fingerprint \u2022 suricata_alert \u2022 anomalous_deletefile dead_connect \u2022dynamic_function_loading ipc_namedpipe powershell_download createtoolhelp32snapshot_module_enumeration reads_self antidebug_ntsetinformationthread injection_rwx network_http", "Stack pivoting was detected when using a critical API", "Tracking: trackite.com \u2022 track.beanstalkdata.com \u2022 http://tracking.butterflymx.com/ls/click?upn= \u2022 sonymobilemail.com \u2022 connect.grovelfun.com", "apple.ios-slgn-in.com \u2022 appleid.com \u2022 apple.com \u2022 http://apple.ddianle.com \u2022 http://write.52toolbox.com/cms/privacy_policy_lenovo.html", "http://desk.52toolbox.com/cms/agreement_lenovo.html \u2022 http://chat.52toolbox.com/cms/agreement_lenovo.html \u2022 www.tabxexplorer.com", "https://www.starbucks.com.cn/mobile-view/en/help/terms/digital-starbucks-rewards-kit?supportTel=fals \u2022 https://u.ysepay.com:8288/MobileGate/login.do", "https://download.tenorshare.cn/go/reiboot-for-android_2420.exe?track[banner]=home&track[mobilebanner]=ferragosto20220719&track[tslateset]=undefined&track[w]=3840&track[h]=220?linksource&track[utm_source]=awin&track[utm_medium]=affiliate&track[utm_term]=213429&track[awc]=18616_1659086165_ce9efdb1e9f159a1234acd82324b61a8&track[realMedium]=affiliate&track[cross_end_id]=-LyP4be7B42T9sbA&track[type]=2&track[page]=https://www.tenorshare.cn/guide/ios-system-recovery.html&track[sid]=118", "http://www.beneat.cn/mobile/index/index \u2022 http://www.beneat.cn/mobile/index/startAdv \u2022 http://www.beneat.cn/mobile/live/index", "http://www.beneat.cn/mobile/room/index \u2022 http://www.beneat.cn/mobile/user/cate \u2022 http://www.tabxexplorer.com/channel/Commonapi?pid", "http://gahub.qijihezi.cn/outlink/others/UbisoftConnectInstaller.exe \u2022 http://zb1.baidu581.com/zhuobiao2/?nid=63047\\r\\nConnection: [location]", "accountchooser.com [malicious remote drive by] pop up covers screen, chooses from listed acompromised phone | no click |", "Multiple remotewd remotewd.com [DGA domain name changed, moved still active as]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "display_name": "#Lowfi:HSTR:AutoitItV3ModGUIDMark", "target": null }, { "id": "Win.Malware.Autoit-7732194-0", "display_name": "Win.Malware.Autoit-7732194-0", "target": null }, { "id": "DarkComet", "display_name": "DarkComet", "target": null }, { "id": "!AutoIt_3_00_Third_Party", "display_name": "!AutoIt_3_00_Third_Party", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8359, "domain": 1687, "hostname": 1746, "email": 7, "FileHash-MD5": 357, "FileHash-SHA1": 224, "FileHash-SHA256": 1862, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 14244, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "790 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708c01dca4e6c505e4fca0", "name": "Hostgator - whitelisted", "description": "", "modified": "2023-12-06T14:58:09.135000", "created": "2023-12-06T14:58:09.135000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 692, "hostname": 1339, "domain": 1260, "URL": 4622, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ed1b2c24f71d408f58a", "name": "lvc.org", "description": "", "modified": "2023-12-06T14:01:52.611000", "created": "2023-12-06T14:01:52.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 3051, "FileHash-SHA256": 524, "URL": 14286, "domain": 1501, "email": 3, "FileHash-SHA1": 12 }, "indicator_count": 19379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "625f112112bb456382bee7c9", "name": "Hostgator - whitelisted", "description": "Firing Rule, IRF.util.com, is set to go live on the internet after it was triggered by a new rule, but if it is not already in place, it will not load.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T19:44:33.964000", "tags": [ "webkitkeyframes", "helvetica neue", "helvetica", "arial", "45deg", "100vw", "typetext", "copyright", "closure library", "affiliatepage", "tospage", "banner", "iab2", "acceptall", "rejectall", "genven", "expecting iab", "iab tcf", "oldcctid", "newdomainid", "unknown", "checkbox", "date", "component", "apptree", "hnull", "fcee", "typeof t", "typeerror", "qss7", "error", "promise", "hfunction", "typeof e", "rfc3986", "string", "array", "rfc1738", "object", "sr1t", "typeof symbol", "animation", "null", "rnull", "forwardref", "typeof n", "nullt", "cxlc", "dptw", "dtha", "gdzw", "gurp", "w0b4", "kjy9", "uigm", "ve6h", "event", "currency", "currencysymbol", "ucvw", "ofunction", "ocsf", "xfunction", "urlsearchparams", "open", "symbol", "nfunction", "lfunction", "ufunction", "typeof window", "typeof self", "hj", "09af", "regexp", "irmstevent", "bad expr", "hotjar", "email", "telefon", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "n color", "number", "customevent", "n strictly", "hostn host", "button", "cookie tracking", "close", "campaign", "decision", "action", "page", "controller", "must", "visitor", "groupstart", "info", "obsolete", "false", "reduceright", "portland", "trackevent", "query", "u003cu003e", "trackpageview", "code", "path", "click", "derek", "void", "gsxr89skrrs", "r300", "uint8array", "typeof d", "caca", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "boolean", "function", "service", "phonenumber", "ver0", "tag0", "extdata0", "ua ch", "invalid", "which", "thank", "hostgator", "poll", "primary intent", "iwe didn", "f39c11", "team", "script", "array int8array", "caregexp", "legacy", "irfcd", "error setting", "irgbd", "outer", "dynamic tag", "variable", "rule", "expr", "inline script" ], "references": [ "xfe-URL-hostgator.com-stix2-2.1-export.json", "https://a.impactradius-tag.com/foundation-tags-SD382-d393-452e-9c15-ac1e4a6fc6fb1.js", "https://d3cxv97fi8q177.cloudfront.net/foundation-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.googleadservices.com/pagead/conversion_async.js", "https://static.hotjar.com/c/hotjar-23213.js?sv=7", "https://bat.bing.com/bat.js", "https://connect.facebook.net/signals/config/393095817498804?v=2.9.57&r=stable", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-PPNLL2", "https://cdn3.optimizely.com/js/geo4.js", "https://cdn.optimizely.com/js/13477600374.js", "https://bat.bing.com/p/action/5797759.js", "https://cdn.cookielaw.org/scripttemplates/6.32.0/otBannerSdk.js", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://a.impactradius-tag.com/mediasource-A122588-852f-4501-9972-9515a4f53da31.js", "https://www.hostgator.com/_next/static/runtime/polyfills-31f3ad766330c3157d95.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/_app.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/pages/index.js", "https://www.hostgator.com/_next/static/runtime/webpack-83bd83ab777f80a6c75c.js", "https://www.hostgator.com/_next/static/chunks/framework.4fc08a4a599cac03ddf5.js", "https://www.hostgator.com/_next/static/chunks/60aafdb66a57b57b76936ce193fee053374e679c.cdd375bd63e4f4a5a41b.js", "https://www.hostgator.com/_next/static/runtime/main-a00d7acfcccd82e343f6.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_ssgManifest.js", "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", "https://www.hostgator.com/_next/static/5a0OWA7iirtDqpl2xeXE4/_buildManifest.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071979603/?random=1650396033510&cv=9&fst=1650396033510&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.hostgator.com%2F&tiba=Web%20Hosting%20-%202022%27s%20Best%20Website%20Hosting%20%7C%20HostGator&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.hostgator.com/_next/static/css/1746e01e071caaad90f08af905f64c7649b9fd98_CSS.27b3968e.chunk.css", "https://6241250.fls.doubleclick.net/activityi;src=6241250;type=remar0;cat=hg-al0;ord=1;num=152669004837;gtm=2wg4i1;auiddc=30830049.1650396032;u1=prospect;u2=%2F;u5=noConsent-none;~oref=https%3A%2F%2Fwww.hostgator.com%2F", "https://vars.hotjar.com/box-4924254a9ce4dc9b959b6e4a9b662d60.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1339, "URL": 4622, "domain": 1260, "FileHash-SHA256": 692, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 7917, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621927dd57ee9ed86aeb9cb4", "name": "CambridgeAnalytica.org", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T19:02:53.023000", "tags": [ "win32 exe", "scott hanselman", "win32 dll", "llc creation", "date", "passive dns", "subdomains", "detections type", "name", "rich text", "format", "music", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA256": 335, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.propertypartner.co/s", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.propertypartner.co/s", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780235636.6107633 }