{ "type": "URL", "indicator": "https://www.website.ws/whois.dhtml", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.website.ws/whois.dhtml", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain website.ws", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3974996836, "indicator": "https://www.website.ws/whois.dhtml", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69fec43ef41ffab3412dd8cd", "name": "credit: Q.Vashti - Clone ['Fatal Error - Hacker Known'] I clone as the pulses show relevant in hope to help.", "description": "", "modified": "2026-05-09T05:23:05.136000", "created": "2026-05-09T05:21:02.143000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68edc1c2be848e73a32ab9ba", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2767, "hostname": 1231, "domain": 449, "FileHash-MD5": 408, "email": 12, "FileHash-SHA256": 604, "FileHash-SHA1": 307, "IPv4": 3 }, "indicator_count": 5781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e87da28b9c1611223c1a6b", "name": "Telegram - Remote install | log4shell-generic | Botnet | Pegasus Relationship", "description": "0.0.0.0 Day: Exploiting Localhost APIs From the Browser.\nA root of device issues: \nTarget was remotely subscribed to Telegram 10/23. This phone silently made 2 calls to (380) 222-3333. An activation code for blacklisted t.me/login/***** received by text. Target remembers this occured during sleep. Pegasus relationship. Mirai relationship auto-populated. Reference to new Mirai infection. I didn't find Mirai IoC's\nBrian Hau? Lol, idk about that.\n|| SLFPER:SoftwareBundler:Win32/Dlhelper\n#Lowfi:LUA:AutoItV3CraftedOverlay\nALF:HeraklezEval:Trojan:Win32/Ymacco\nBackdoor:Win32/Tofsee\nMirai\nTEL:Exploit:O97M/CVE-2017-8570\nTofsee\nTrojan:Win32/Glupteba\nTrojan:Win32/Kryptik\nTrojan:Win32/Mydoom\nWin.Packed.Enigma-10023199-0\nWin.Packer.pkr_ce1a-9980177-0\nWin32:PWSX-gen\\ [Trj]", "modified": "2024-10-16T15:00:45.833000", "created": "2024-09-16T18:49:06.831000", "tags": [ "dynamicloader", "high", "windows", "medium", "grum", "yara detections", "contacted", "installs", "windows startup", "application", "tofsee", "stream", "less see", "copy", "aaaa", "virgin islands", "whitelisted", "antigua", "org domains", "proxy", "code", "search", "united", "unknown", "msie", "chrome", "passive dns", "formbook cnc", "checkin", "entries", "body", "possible", "mozilla", "delete c", "windows nt", "show", "owotrus ca", "limited", "cnwotrus dv", "server ca", "write", "malware", "encrypt", "as36647 oath", "backdoor", "trojan", "all scoreblue", "ipv4", "urls", "ransom", "trojan features", "related pulses", "file samples", "files matching", "date hash", "memcommit", "read c", "win32", "icmp traffic", "memreserve", "showing", "exploit", "mirai", "barbuda", "barbuda unknown", "hacktool", "program", "python", "macintosh", "intel mac", "os x", "khtml", "gecko", "bios", "guard", "updater", "launcher", "div div", "span div", "span svg", "status", "bugs", "span", "meta", "path", "div h3", "telegram strong", "a li", "virtool", "class", "tour", "read", "delete", "top source", "top destination", "as46606", "change", "moved", "certificate", "creation date", "record value", "suite", "hostname", "cookie", "asnone united", "as29873", "cname", "domain", "url analysis", "redacted for", "script urls", "a domains", "as8560", "germany unknown", "name servers", "for privacy", "files", "verdict", "as393245 oath", "mtb sep", "servers", "expiration date", "overview domain", "files ip", "address", "location united", "asn as22612", "whois registrar", "namecheap inc", "as22612", "content type", "apache", "secure server", "dnssec", "meta http", "content", "gmt server", "litespeed x", "http scans", "equiv cache", "script endif", "create c", "wow64", "slcc2", "media center", "write c", "next", "dock", "execution", "capture", "xport", "united kingdom", "a nxdomain", "as24940 hetzner", "emails", "script script", "param", "script", "ul div", "global domains", "international", "bank", "agent", "stack", "life", "win32mydoom sep", "title", "enigmaprotector", "dynamic", "powershell", "filehash", "worm", "a div", "all search", "lowfi", "copyright", "as54994 quantil", "as15169", "virustotal", "drweb", "vipre", "downloader", "panda", "local", "dns replication", "technology", "server", "privacy billing", "email", "registrar abuse", "organization", "privacy tech", "privacy admin", "algorithm", "first", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "scan endpoints", "pulse pulses", "federation asn", "as49505", "labs pulses", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "orgtechhandle", "iana special", "103.28.36.182", "pegasus", "103.224.212.222", "103.129.252.44", "162.0.215.111", "apple", "apple-access.com", "as8075", "date", "phishing", "csam", "pii", "piiexposure", "flag", "domain address", "llc name", "contacted hosts", "ip address", "process details" ], "references": [ "Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP", "Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034", "Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks", "Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services", "Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request", "*WEBSITE.WS Your Internet Address For Life", "Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection", "Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States", "IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)", "User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension", "ASN AS13335 cloudflare DNS Resolutions", "0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org", "IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading", "federallegionconnbot.t.me", "thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn", "pegasusintel.com", "appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net", "log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com", "Alleged CSAM Alleged Phishing Alleged PIIExposure", "https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Trojan:Win32/Kryptik", "display_name": "Trojan:Win32/Kryptik", "target": "/malware/Trojan:Win32/Kryptik" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Win.Packed.Enigma-10023199-0", "display_name": "Win.Packed.Enigma-10023199-0", "target": null }, { "id": "TEL:Exploit:O97M/CVE-2017-8570", "display_name": "TEL:Exploit:O97M/CVE-2017-8570", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/Dlhelper", "display_name": "SLFPER:SoftwareBundler:Win32/Dlhelper", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1226, "FileHash-SHA256": 1691, "FileHash-MD5": 807, "FileHash-SHA1": 781, "URL": 429, "hostname": 1124, "SSLCertFingerprint": 7, "CVE": 1, "email": 16, "CIDR": 1 }, "indicator_count": 6083, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com", "Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034", "Alleged CSAM Alleged Phishing Alleged PIIExposure", "thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn", "Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP", "Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks", "User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension", "appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net", "Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States", "IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading", "Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection", "Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services", "*WEBSITE.WS Your Internet Address For Life", "https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0", "0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org", "IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)", "pegasusintel.com", "ASN AS13335 cloudflare DNS Resolutions", "federallegionconnbot.t.me", "Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Sova", "Backdoor:win32/tofsee", "#lowfi:lua:autoitv3craftedoverlay", "Tofsee", "Trojan:win32/glupteba", "Trojan:win32/kryptik", "Mirai", "Win.packer.pkr_ce1a-9980177-0", "Win.packed.enigma-10023199-0", "Alf:heraklezeval:trojan:win32/ymacco", "Trojan:win32/mydoom", "Slfper:softwarebundler:win32/dlhelper", "Win32:pwsx-gen\\ [trj]", "Tel:exploit:o97m/cve-2017-8570" ], "industries": [ "Telecommunications" ], "unique_indicators": 19402 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/website.ws", "whois": "http://whois.domaintools.com/website.ws", "domain": "website.ws", "hostname": "www.website.ws" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69fec43ef41ffab3412dd8cd", "name": "credit: Q.Vashti - Clone ['Fatal Error - Hacker Known'] I clone as the pulses show relevant in hope to help.", "description": "", "modified": "2026-05-09T05:23:05.136000", "created": "2026-05-09T05:21:02.143000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68edc1c2be848e73a32ab9ba", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2767, "hostname": 1231, "domain": 449, "FileHash-MD5": 408, "email": 12, "FileHash-SHA256": 604, "FileHash-SHA1": 307, "IPv4": 3 }, "indicator_count": 5781, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e87da28b9c1611223c1a6b", "name": "Telegram - Remote install | log4shell-generic | Botnet | Pegasus Relationship", "description": "0.0.0.0 Day: Exploiting Localhost APIs From the Browser.\nA root of device issues: \nTarget was remotely subscribed to Telegram 10/23. This phone silently made 2 calls to (380) 222-3333. An activation code for blacklisted t.me/login/***** received by text. Target remembers this occured during sleep. Pegasus relationship. Mirai relationship auto-populated. Reference to new Mirai infection. I didn't find Mirai IoC's\nBrian Hau? Lol, idk about that.\n|| SLFPER:SoftwareBundler:Win32/Dlhelper\n#Lowfi:LUA:AutoItV3CraftedOverlay\nALF:HeraklezEval:Trojan:Win32/Ymacco\nBackdoor:Win32/Tofsee\nMirai\nTEL:Exploit:O97M/CVE-2017-8570\nTofsee\nTrojan:Win32/Glupteba\nTrojan:Win32/Kryptik\nTrojan:Win32/Mydoom\nWin.Packed.Enigma-10023199-0\nWin.Packer.pkr_ce1a-9980177-0\nWin32:PWSX-gen\\ [Trj]", "modified": "2024-10-16T15:00:45.833000", "created": "2024-09-16T18:49:06.831000", "tags": [ "dynamicloader", "high", "windows", "medium", "grum", "yara detections", "contacted", "installs", "windows startup", "application", "tofsee", "stream", "less see", "copy", "aaaa", "virgin islands", "whitelisted", "antigua", "org domains", "proxy", "code", "search", "united", "unknown", "msie", "chrome", "passive dns", "formbook cnc", "checkin", "entries", "body", "possible", "mozilla", "delete c", "windows nt", "show", "owotrus ca", "limited", "cnwotrus dv", "server ca", "write", "malware", "encrypt", "as36647 oath", "backdoor", "trojan", "all scoreblue", "ipv4", "urls", "ransom", "trojan features", "related pulses", "file samples", "files matching", "date hash", "memcommit", "read c", "win32", "icmp traffic", "memreserve", "showing", "exploit", "mirai", "barbuda", "barbuda unknown", "hacktool", "program", "python", "macintosh", "intel mac", "os x", "khtml", "gecko", "bios", "guard", "updater", "launcher", "div div", "span div", "span svg", "status", "bugs", "span", "meta", "path", "div h3", "telegram strong", "a li", "virtool", "class", "tour", "read", "delete", "top source", "top destination", "as46606", "change", "moved", "certificate", "creation date", "record value", "suite", "hostname", "cookie", "asnone united", "as29873", "cname", "domain", "url analysis", "redacted for", "script urls", "a domains", "as8560", "germany unknown", "name servers", "for privacy", "files", "verdict", "as393245 oath", "mtb sep", "servers", "expiration date", "overview domain", "files ip", "address", "location united", "asn as22612", "whois registrar", "namecheap inc", "as22612", "content type", "apache", "secure server", "dnssec", "meta http", "content", "gmt server", "litespeed x", "http scans", "equiv cache", "script endif", "create c", "wow64", "slcc2", "media center", "write c", "next", "dock", "execution", "capture", "xport", "united kingdom", "a nxdomain", "as24940 hetzner", "emails", "script script", "param", "script", "ul div", "global domains", "international", "bank", "agent", "stack", "life", "win32mydoom sep", "title", "enigmaprotector", "dynamic", "powershell", "filehash", "worm", "a div", "all search", "lowfi", "copyright", "as54994 quantil", "as15169", "virustotal", "drweb", "vipre", "downloader", "panda", "local", "dns replication", "technology", "server", "privacy billing", "email", "registrar abuse", "organization", "privacy tech", "privacy admin", "algorithm", "first", "v3 serial", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "scan endpoints", "pulse pulses", "federation asn", "as49505", "labs pulses", "internet", "iana", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "orgtechhandle", "iana special", "103.28.36.182", "pegasus", "103.224.212.222", "103.129.252.44", "162.0.215.111", "apple", "apple-access.com", "as8075", "date", "phishing", "csam", "pii", "piiexposure", "flag", "domain address", "llc name", "contacted hosts", "ip address", "process details" ], "references": [ "Telegram | Indicator: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP", "Telegram - https://t.me/login/***** | fFileHash-SHA256 cecaa6014e0cdc41ead0b076169175c9342a2ccc4b3e48549f88ea87ba8c034", "Alerts: injection_inter_process creates_largekey network_bind persistence_autorun persistence_autorun_tasks", "Alerts: spawns_dev_util cape_detected_threat injection_process_hollowing antivm_generic_services", "Alerts: deletes_executed_files injection_runpe persistence_ads suspicious_command_tools anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading resumethread_remote_process powershell_download powershell_request", "*WEBSITE.WS Your Internet Address For Life", "Telegram | IP 66.235.200.146 | Indicator Possible recent Mirai infection", "Datacenter / Hosting / VPS Reverse DNS host77.ipowerweb.com Location United States", "IDS Detections: W32/Zbot.Variant Fake MSIE 6.0 UA FormBook CnC Checkin (GET) FormBook CnC Checkin (GET) FormBook CnC Checkin (GET)", "User-Agent (Mozilla) - Possible Spyware Related WinHttpRequest Downloading EXE Likely Evil EXE download from WinHttpRequest non-exe extension", "ASN AS13335 cloudflare DNS Resolutions", "0.0.0.0 log4shell-generic-z8lrtjkgkm4zhi6necwi.r.nessus.org", "IDS: Query for .su TLD (Soviet Union) Often Malware Related PE EXE or DLL Windows file download HTTP | Not Russia - Americans Masquerading", "federallegionconnbot.t.me", "thevipporn.com porn25.com lowendporn.com pz7.iqg29.cn", "pegasusintel.com", "appleid-support.com apple-access.com appleid-support.com demo171.apple.com apple.k8s.joewa.com w-t-blu-371ac852.cloudapp.net", "log4shell-generic-ammqgekxvatp3a2qyw71ten.r.nessus.org play.google.com demo171.apple.com apps.apple.com", "Alleged CSAM Alleged Phishing Alleged PIIExposure", "https://t.me/login/36861 = GET /login/36861 | Server: nginx/1.18.0" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Trojan:Win32/Kryptik", "display_name": "Trojan:Win32/Kryptik", "target": "/malware/Trojan:Win32/Kryptik" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Win.Packed.Enigma-10023199-0", "display_name": "Win.Packed.Enigma-10023199-0", "target": null }, { "id": "TEL:Exploit:O97M/CVE-2017-8570", "display_name": "TEL:Exploit:O97M/CVE-2017-8570", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/Dlhelper", "display_name": "SLFPER:SoftwareBundler:Win32/Dlhelper", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1226, "FileHash-SHA256": 1691, "FileHash-MD5": 807, "FileHash-SHA1": 781, "URL": 429, "hostname": 1124, "SSLCertFingerprint": 7, "CVE": 1, "email": 16, "CIDR": 1 }, "indicator_count": 6083, "is_author": false, "is_subscribing": null, "subscriber_count": 235, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.website.ws/whois.dhtml", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.website.ws/whois.dhtml", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780285484.7634 }