{ "type": "URL", "indicator": "https://www.starwarsauthentics.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.starwarsauthentics.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3784158637, "indicator": "https://www.starwarsauthentics.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe91a1aceb955e54f6", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.147000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe934ae9d391614c0d", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.585000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e4017a14cda8d09c9bf8", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:33.270000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e406028ca6f363f41315", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:38.424000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8071976a7e6dccaabbada", "name": "NSO Group Pegasus", "description": "", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T20:14:17.001000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65b7e406028ca6f363f41315", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ae7b85bce5b026a160389", "name": "Command and Control Server and Services CRITICAL", "description": "HSBC\nInmortal\nRadar Ineractive\nRuleset Match:\nBackSwap Trojan detection by Ariel Millahuel\nCARROTBAT Malware detection by Ariel Millahuel", "modified": "2023-12-20T03:01:11.128000", "created": "2023-11-20T04:59:36.506000", "tags": [ "contacted", "execution", "dropped", "threat roundup", "august", "apple ios", "contacted urls", "referrer", "october", "april", "core", "february", "hacktool", "installer", "urls", "ovh sas", "domains", "ip detections", "country", "type name", "win32 exe", "noname057", "generic malware", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist http", "cisco umbrella", "site", "safe site", "wormx", "malicious site", "alexa top", "malware site", "million", "malicious url", "phishing site", "malware", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "file size", "files", "file type", "kb file", "highly targeted", "apple", "password", "tsara brashears", "awful", "radar ineractive", "no data", "blacklist", "malvertizing", "masquerading", "tulach", "114.114.114.114", "Noname057" ], "references": [], "public": 1, "adversary": "Unconfirmed Adversary", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 729, "FileHash-MD5": 950, "FileHash-SHA1": 482, "FileHash-SHA256": 878, "domain": 139, "hostname": 300, "CVE": 1 }, "indicator_count": 3479, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "321Survive.exe", "http://www.tabxexplorer.com/lenovo", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "identity_helper.exe", "IPv4 198.54.117.212 command_and_control", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "http://www.tabxexplorer.com [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "hive21.ctcsoftware.com", "tvapp-server.de", "hasownproperty.call", "Tulach Malware: 114.114.114.114", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "http://updates.voicemailaccess.net/b0f6a00b15311023", "apple-securityiphone-icloud.com", "ns3.hallgrandsale.ru", "uchealth.com", "Yara Detection: Nullsoft_NSIS", "IPv4 198.54.117.217 command_and_control", "ransomwaretracker.abuse.ch", "IPv4 198.54.117.210 command_and_control", "louisianarooflawyers.com [phishing]", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "\u2193Interesting\u2193", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "cdn.easykeys.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "ww.google.com.uy", "https://www.nsogroup.com/", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "zeustracker.abuse.ch", "tx-p2p-pull.video-voip.com.dorm.com", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.218 command_and_control", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "https://en.m.wikipedia.org \u203a wiki NSO Group", "IPv4 198.54.117.211 command_and_control", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "www.moxa.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "NSO Group", "Unconfirmed Adversary" ], "malware_families": [ "Opencandy", "Trojanspy", "Hsbc", "Meterpreter", "Cobalt strike", "Raccoon", "Hallrender", "Alf:win32/gbdinf_305b1c9a.j!ibt", "Blacknet", "Sabey", "Mimikatz", "Inmortal", "Blacknet rat", "Radar ineractive", "Trojan:win32/zombie.a", "Trojan.wanna/wannacry", "Qakbot", "Brontok", "Installcore", "Hacktool:win32/cobaltstrike.a", "Redline stealer", "Generic", "Tulach", "Unruy", "Alf:heraklezeval:trojan:win32/clipbanker", "Win.malware.generickdz-9938530-0", "Lumma stealer", "Emotet", "Network rat", "Trojanx", "Alf:trojan:msil/agenttesla.km", "Quasar rat", "Hacktool:win32/atosev.a" ], "industries": [ "Technology", "Healthcare", "Education", "Civil society", "Telecommunications" ], "unique_indicators": 65447 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/starwarsauthentics.com", "whois": "http://whois.domaintools.com/starwarsauthentics.com", "domain": "starwarsauthentics.com", "hostname": "www.starwarsauthentics.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65bca8fcbe62297d71b47c33", "name": "Ragnar Locker", "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n 108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.", "modified": "2024-03-03T08:00:03.432000", "created": "2024-02-02T08:34:04.425000", "tags": [ "referrer", "contacted", "whois record", "ssl certificate", "whois whois", "contacted urls", "execution", "historical ssl", "red team", "gang breached", "agent tesla", "redline stealer", "metro", "android", "urls url", "files", "kgs0", "kls0", "orgtechhandle", "orgtechref", "orgabusehandle", "orgdnshandle", "orgdnsref", "whois lookup", "netrange", "nethandle", "net108", "net1080000", "communicating", "urls http", "ransomware gang", "breached", "team", "first", "utc submissions", "submitters", "gandi sas", "psiusa", "domain robot", "porkbun llc", "keysystems gmbh", "csc corporate", "domains", "domain name", "network pty", "tucows", "com laude", "dynadot inc" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8354, "FileHash-MD5": 104, "FileHash-SHA1": 81, "FileHash-SHA256": 2711, "CIDR": 5, "CVE": 6, "domain": 1489, "hostname": 3058, "email": 5 }, "indicator_count": 15813, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "777 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe91a1aceb955e54f6", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.147000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e3fe934ae9d391614c0d", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:30.585000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e4017a14cda8d09c9bf8", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:33.270000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b7e406028ca6f363f41315", "name": "NSO Group Pegasus", "description": "NSO Group\nNSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click.\n\nHeavily targeting Tsara Brashears\nSet in motion when Brashears was attacked and critically injured by Jeffrey Scott Reimer DPT in Denver Colorado at Concentra AMS whilst bit knowing she was in the American Workers compensation system. Brashears was not represented by an attorney at the time. She was threatened by Mark Montano MD who wanted wife to be elected coroner. Denied care for a spinal cord injury. All records stolen or falsified. Death threats and other cyber or physical attacks, contact with this strange group is common. Recent, injurious attempt on life dismissed by alleged detective by phone. Found, confirmed, let another offender walk. Ghost car. Ghost offender. Frightened attorneys? I am her only advocate.", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T17:44:38.424000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b8071976a7e6dccaabbada", "name": "NSO Group Pegasus", "description": "", "modified": "2024-02-28T15:01:20.140000", "created": "2024-01-29T20:14:17.001000", "tags": [ "ssl certificate", "whois record", "whois whois", "communicating", "cellbrite", "urls http", "referrer", "historical ssl", "nullmixer", "smokeloader", "redline stealer", "installer", "hiddentear", "probe", "nso group", "pegasus", "community", "xcitium verdict", "cloud", "bitdefender", "history", "utc http", "response final", "url final", "ip address", "status code", "compiler", "basic", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 compiler", "rticon russian", "info header", "name md5", "contained", "type", "language", "ico rtgroupicon", "russian", "overlay", "urls", "domains", "gandi sas", "contacted", "markmonitor", "ip detections", "country", "pe resource", "children", "file type", "ico mainicon", "linkid252669", "win32 dll", "ms visual", "win32 dynamic", "win32 exe", "files", "afrefhttp", "execution", "highly targeted", "http", "agent tesla", "blackbag", "relations most", "core", "malware", "emotet", "critical", "copy", "qakbot", "trojan", "ransomexx", "ryuk", "ransomware", "matanbuchus", "cobalt strike", "bazarloader", "as15169 google", "united", "passive dns", "aaaa", "title", "a domains", "body html", "head meta", "moved title", "tsara brashears", "offender", "Robert neill", "jeffery scott reimer", "assaulted", "sci", "warning", "denver", "death threats", "porn malvertizing", "bomb", "bomb threats" ], "references": [ "https://www.nsogroup.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ww.google.com.uy", "321Survive.exe", "https://en.m.wikipedia.org \u203a wiki NSO Group" ], "public": 1, "adversary": "NSO Group", "targeted_countries": [], "malware_families": [ { "id": "trojan.wanna/wannacry", "display_name": "trojan.wanna/wannacry", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65b7e406028ca6f363f41315", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 570, "URL": 2908, "FileHash-MD5": 98, "FileHash-SHA1": 84, "FileHash-SHA256": 2241, "hostname": 1043, "CVE": 3, "email": 1 }, "indicator_count": 6948, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6564fa9a3d90d1cd14928b16", "name": "Lumma \u2022 University of Alberta \"No Problems\" | T1036 - Masquerading", "description": "I was contacted on this forum re: University of Alberta issue. Based on research www.ualberta.ca redirects. There hasn't been a research effort for redirect. I researched a spoofed website. After viewing senders request, my devices operating system changed, isn't recognized by any accounts, keyloggers.\nFound: Anonymizers, Redirector, Masquerading, Network RAT, Serious Social Engineering, Botnetwork Army, Stealers, Lumma and weirdly targeted 'Tsara Brashears' as a malicious link on a spoofed University in Canada, UCHealth Colorado links.", "modified": "2023-12-27T19:03:02.665000", "created": "2023-11-27T20:22:50.050000", "tags": [ "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json url", "urls", "detection list", "cisco umbrella", "site", "heur", "safe site", "alexa top", "million", "malware", "malicious site", "phishing site", "malicious url", "phishing", "riskware", "presenoker", "artemis", "agent", "unsafe", "opencandy", "ursnif", "wacatac", "team", "facebook", "runescape", "service", "downldr", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "installcore", "fareit", "secrisk", "exploit", "mimikatz", "sorano", "emotet", "genkryptik", "fuery", "dbatloader", "qakbot", "alexa", "malicious", "union", "lumma stealer", "fusioncore", "cleaner", "azorult", "bank", "blacknet rat", "stealer", "iframe", "trojanspy", "analysis", "united", "firehol", "proxy", "mail spammer", "downloader", "malware site", "meterpreter", "qbot", "bankerx", "dropper", "nimda", "formbook", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "generic", "dnspionage", "expirestue", "path", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "alberta", "university", "edmonton", "html info", "alberta meta", "tags", "trackers google", "tag manager", "gtmkr32", "blacklist", "low risk", "apache", "domain", "malware found", "unknown", "minimal low", "security risk", "medium high", "critical", "protect", "college", "mtis", "faculties", "research", "health", "a about", "news", "events", "sport", "life", "find", "story", "tools", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "pattern match", "file", "date", "factory", "hybrid", "general", "cookie", "click", "strings", "djin", "no data", "tag count", "sample", "samples", "netsky", "cobalt strike", "xrat", "fakealert", "raccoon", "redline stealer", "metastealer", "icedid", "quasar rat", "acint", "anonymizer", "blockchain", "social engineering", "read c", "search", "show", "medium", "entries", "whitelisted", "memcommit", "delete", "yara detections", "next", "dock", "write", "execution", "copy", "south carolina", "federal credit", "team proxy", "static engine", "covid19", "redirector", "suspic", "tue mar", "zbot", "size68b type", "count blacklist", "tag tag", "rejected sample", "icon", "analyzed", "hwp support", "falcon sandbox", "multi scan", "update", "view details", "upgrade", "blacklist https", "keyloggers" ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (iPhone unlocker)", "uchealth.com", "http://michaela.young@uchealth.com", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://api2018.uchealth.com/apihc/tass/webportal/apihealthcare_live/default.aspx", "https://www.uchealth.com/wp-content/uploads/2017/12/UCHealthInsuranceIndex_120417.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Network RAT", "display_name": "Network RAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "OpenCandy", "display_name": "OpenCandy", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Brontok", "display_name": "Brontok", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 320, "FileHash-SHA1": 172, "FileHash-SHA256": 4302, "URL": 8243, "CIDR": 1, "domain": 1742, "hostname": 2270, "CVE": 18, "SSLCertFingerprint": 3, "email": 4 }, "indicator_count": 17075, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ae7b85bce5b026a160389", "name": "Command and Control Server and Services CRITICAL", "description": "HSBC\nInmortal\nRadar Ineractive\nRuleset Match:\nBackSwap Trojan detection by Ariel Millahuel\nCARROTBAT Malware detection by Ariel Millahuel", "modified": "2023-12-20T03:01:11.128000", "created": "2023-11-20T04:59:36.506000", "tags": [ "contacted", "execution", "dropped", "threat roundup", "august", "apple ios", "contacted urls", "referrer", "october", "april", "core", "february", "hacktool", "installer", "urls", "ovh sas", "domains", "ip detections", "country", "type name", "win32 exe", "noname057", "generic malware", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist http", "cisco umbrella", "site", "safe site", "wormx", "malicious site", "alexa top", "malware site", "million", "malicious url", "phishing site", "malware", "alexa", "phishing", "agent", "bank", "inmortal", "united", "cyber threat", "pony", "cnc zeus", "tracker", "cnc server", "covid19", "engineering", "http spammer", "host", "azorult", "asyncrat", "cobalt strike", "team", "hsbc", "file size", "files", "file type", "kb file", "highly targeted", "apple", "password", "tsara brashears", "awful", "radar ineractive", "no data", "blacklist", "malvertizing", "masquerading", "tulach", "114.114.114.114", "Noname057" ], "references": [], "public": 1, "adversary": "Unconfirmed Adversary", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "HSBC", "display_name": "HSBC", "target": null }, { "id": "Radar Ineractive", "display_name": "Radar Ineractive", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 729, "FileHash-MD5": 950, "FileHash-SHA1": 482, "FileHash-SHA256": 878, "domain": 139, "hostname": 300, "CVE": 1 }, "indicator_count": 3479, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.starwarsauthentics.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.starwarsauthentics.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642400.3832011 }