{ "type": "URL", "indicator": "https://www.work.a-poster.info", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.work.a-poster.info", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2519868785, "indicator": "https://www.work.a-poster.info", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558408d453f2ee72cb9537e", "name": "frigostInjector.exe", "description": "", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T04:41:49.188000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "655823a90db61fbeb599b736", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a90db61fbeb599b736", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:33.470000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a74460eb0f3e988a29", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:31.974000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a989843b7acf6d0a79ac", "name": "Qakbot. Again. Today. Pulled from own device. Quasar RAT, Malvertizing", "description": "", "modified": "2023-12-06T17:04:09.133000", "created": "2023-12-06T17:04:09.133000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 290, "FileHash-SHA256": 1478, "hostname": 1047, "URL": 4055, "FileHash-MD5": 89, "FileHash-SHA1": 85, "email": 1, "FilePath": 2, "Mutex": 1, "CIDR": 1 }, "indicator_count": 7051, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a835fc0836f148fa45c8", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2023-12-06T16:58:29.243000", "created": "2023-12-06T16:58:29.243000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a581b1024ea61979da96", "name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)", "description": "", "modified": "2023-12-06T16:46:57.782000", "created": "2023-12-06T16:46:57.782000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 5791, "hostname": 3255, "domain": 2317, "FileHash-MD5": 44, "FileHash-SHA1": 34, "URL": 11513 }, "indicator_count": 22957, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a521974bdb5d6dbda092", "name": "", "description": "", "modified": "2023-12-06T16:45:21.776000", "created": "2023-12-06T16:45:21.776000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a5109ecc3c75c949f950", "name": "Unsupported IE 404 account running BotNet Command & Control Server | B/L", "description": "", "modified": "2023-12-06T16:45:04.296000", "created": "2023-12-06T16:45:04.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4f322399eb1db2a07b2", "name": "Hijacked Pinterest Account Spreader, BotNet Control Server | Unsupported IE", "description": "", "modified": "2023-12-06T16:44:35.786000", "created": "2023-12-06T16:44:35.786000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4e083c4acd789ea7e58", "name": "Blacklisted", "description": "", "modified": "2023-12-06T16:44:16.060000", "created": "2023-12-06T16:44:16.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2258, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15663, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4d5c14495fcf65ee8a5", "name": "Netsky", "description": "", "modified": "2023-12-06T16:44:05.631000", "created": "2023-12-06T16:44:05.631000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4cb97598bac143dc90b", "name": "Critical: Pinterest Cyber Espionage", "description": "", "modified": "2023-12-06T16:43:55.639000", "created": "2023-12-06T16:43:55.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "URL": 7203, "hostname": 2260, "FileHash-SHA256": 4835, "FileHash-MD5": 283, "FileHash-SHA1": 163, "domain": 915 }, "indicator_count": 15665, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a458c9934c2c2387556a", "name": "", "description": "", "modified": "2023-12-06T16:42:00.798000", "created": "2023-12-06T16:42:00.798000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a45205d13649df0844ba", "name": "iOS Hacktool Actively exploited", "description": "", "modified": "2023-12-06T16:41:54.157000", "created": "2023-12-06T16:41:54.157000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a44bb1c37c78fb86e09d", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:41:47.803000", "created": "2023-12-06T16:41:47.803000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a441d4e3eae9a6de91dd", "name": "Apple iOS - COBALT STRIKE", "description": "", "modified": "2023-12-06T16:41:37.067000", "created": "2023-12-06T16:41:37.067000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a43affc51769be1188f9", "name": "Apple exploit targets private citizen. Actively exploited.", "description": "", "modified": "2023-12-06T16:41:30.939000", "created": "2023-12-06T16:41:30.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a434c72e0d41666e0b43", "name": "Targetes iOS Apple Exploit \u2022 Where is Citizens Lab? Apple? This has roots.", "description": "", "modified": "2023-12-06T16:41:24.547000", "created": "2023-12-06T16:41:24.547000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a42c670fdf66b4af46df", "name": "Crimson Apple", "description": "", "modified": "2023-12-06T16:41:16.304000", "created": "2023-12-06T16:41:16.304000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4250011524abcdf1be0", "name": "Apple Tracking \u2022 Remote Access", "description": "", "modified": "2023-12-06T16:41:09.398000", "created": "2023-12-06T16:41:09.398000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a41e852f6b1b04648d44", "name": "Apple iOS Remote Access", "description": "", "modified": "2023-12-06T16:41:02.718000", "created": "2023-12-06T16:41:02.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a4161da64500aa609121", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:54.425000", "created": "2023-12-06T16:40:54.425000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a40e62ca90307d3ed7a3", "name": "Major Apple Exploit", "description": "", "modified": "2023-12-06T16:40:46.173000", "created": "2023-12-06T16:40:46.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2468, "CVE": 2, "domain": 1247, "hostname": 1215, "FileHash-MD5": 31, "FileHash-SHA1": 36, "URL": 5265, "email": 6 }, "indicator_count": 10270, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1bf9ae4cfe4669a779c", "name": "Agent Tesla", "description": "", "modified": "2023-12-06T16:30:55.036000", "created": "2023-12-06T16:30:55.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1b6abdfb076f2821940", "name": "FORMBOOK", "description": "", "modified": "2023-12-06T16:30:46.983000", "created": "2023-12-06T16:30:46.983000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1af4208c92832a9ae98", "name": "SKYNET", "description": "", "modified": "2023-12-06T16:30:39.892000", "created": "2023-12-06T16:30:39.892000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a1a14208c92832a9ae97", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:25.110000", "created": "2023-12-06T16:30:25.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a197d1f648020fa5206c", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:15.426000", "created": "2023-12-06T16:30:15.426000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a18f5700cbc5aba025c9", "name": "Command and Control \u2022 Phishing \u2022 Hacking \u2022 Scanning Host \u2022 BotNetwork", "description": "", "modified": "2023-12-06T16:30:07.880000", "created": "2023-12-06T16:30:07.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2906, "hostname": 1675, "FileHash-MD5": 65, "FileHash-SHA1": 66, "URL": 6938, "domain": 1727, "email": 1 }, "indicator_count": 13379, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709b98bdc832d5d0570007", "name": "apple iPhone static licence - mpegla - SC lic hell", "description": "", "modified": "2023-12-06T16:04:40.560000", "created": "2023-12-06T16:04:40.560000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 1132, "hostname": 646, "domain": 271, "URL": 2150, "FileHash-MD5": 52, "FileHash-SHA1": 52 }, "indicator_count": 4306, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708c4f41727d49d783b766", "name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87", "description": "", "modified": "2023-12-06T14:59:27.563000", "created": "2023-12-06T14:59:27.563000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 858, "hostname": 589, "URL": 2061, "domain": 301 }, "indicator_count": 3809, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "867 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "870 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a978cf39ec3cdc99278cc", "name": "RedLine", "description": "", "modified": "2023-12-02T02:33:48.848000", "created": "2023-12-02T02:33:48.848000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423a941aa6527fbbe40a53", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "870 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423978ca5e5c9931b586a5", "name": "CNC server.telegrafix.com", "description": "Brute force passwords using SSH on server RELAY\nTargeted individual, adult content, malvertizing, keylogging, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:41:44.861000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423a941aa6527fbbe40a53", "name": "RedLine", "description": "CNC server.telegrafix.com. Brute force passwords using SSH on server RELAY\nTargeted individual, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:46:28.418000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a281ce7426288033f81e", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-04T01:46:41.933000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f04475b063d0b0d3badca", "name": "CNC | Malicious activities. | aig.com [lacks http/https]", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:17:59.531000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e9147fc170101be4f7afe", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f047d030109e1cab23db8", "name": "Qakbot, Qbot, Qausar | CNC", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:18:53.112000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e9215890dfc9167d774e3", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f04af6927f6584755d691", "name": "Registrar Abuse | CNC", "description": "", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-30T01:19:43.234000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "653e92fcaf9d549477914ece", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653e92fcaf9d549477914ece", "name": "Registrar Abuse | CNC", "description": "My input: unsigned, evasive,Trojan:Win32/Danabot.G, missing STSH, CNC, phishing, trojans, scanning host, exploit host. \n\n\n[Auto populated: Last DNS records are held by a single person, and they are not the same as the previous records, which were posted in the early 1990s and early 2000s, according to the US government.]", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-29T17:14:36.780000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653e9215890dfc9167d774e3", "name": "Qakbot, Qbot, Qausar | CNC", "description": "My input: unsigned, evasive,Trojan:Win32/Danabot.G, missing STSH, CNC, phishing, trojans, scanning host, exploit host. \n\n\n[Auto populated: Last DNS records are held by a single person, and they are not the same as the previous records, which were posted in the early 1990s and early 2000s, according to the US government.]", "modified": "2023-11-28T16:01:50.761000", "created": "2023-10-29T17:10:45.609000", "tags": [ "ssl certificate", "whois record", "communicating", "contacted", "threat roundup", "referrer", "october", "historical ssl", "june", "august", "execution", "quasar", "metro", "android", "djvu", "qakbot", "qbot", "april", "skynet", "crypto", "awful", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus ou", "entrust", "oentrust", "l1k validity", "lnew york", "group", "info", "domain status", "server", "date", "registrar abuse", "new york", "postal code", "contact phone", "registrar url", "csc corporate", "domains", "code", "microsoft", "dns replication", "full name", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "iana id", "registrar whois", "win32 exe", "files", "detections type", "name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4115, "FileHash-MD5": 250, "FileHash-SHA1": 244, "FileHash-SHA256": 2692, "domain": 665, "hostname": 1448, "CVE": 1, "email": 3 }, "indicator_count": 9418, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "873 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "aig.com", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "https://urlscan.io", "Data Analytics", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "msftconnecttest.com", "tulach.cc [Adversarial Malware Attack Source]", "remoteaccess.aig.com", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "newrelic.se [Apple Collection]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "https://applepaydayloans.com/", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "104.200.22.130 Command and Control", "init-p01st.push.apple.com", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "remote.telegrafix.com (remote hacking)", "www.jamesbgriffinlaw.com (malicious host)", "https://remote.goeaston.net", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "images.ctfassets.net", "location.search", "0-1.duckdns.org [malicious]", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "http://init-p01st.push.apple.com/bag (remote hacking)", "37.1.217.172 [scanning host]", "Behavior Pattern Match Analysis", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "remote.haverhillcc.com (remote hacking)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "45.159.189.105 (Command and Control)", "firebaseremoteconfig.googleapis.com (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "window.location.search", "applepaydayloans.com", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "http://gmpg.org/xfn/11 [HTTrack]", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "me.com [Pegasus]", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "nr-data.net [ Hidden private Apple data collection]", "a-poster.info", "192.229.211.108 [Tracking & Virus Network]", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "Roksit.net", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "init.ess.apple.com (remote hacking)", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "http://ww1.tsx.org/_fd", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://pin.it/ [SQLi Dumper]", "http://www.Apple.com/quicktime/download", "stagelight.pl (malicious/ pattern match)", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.roseoubleu.fr/panier (phishing)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "apple.com. (malicious version/header)", "http://www.Apple.com/quicktime/download/standalone.html", "https://tulach.cc/", "12 CVE exploits posted in 'scoreblue' CVE tally", "http://45.159.189.105/bot/regex (Bot Command)", "apple-dns.net. [Apple email collection]", "nr-data.net [Apple Private Data Collection]", "https://sinister.ly/Thread-Apple-empty-box?page=13", "https://support.Apple.com/de", "https://www.apple.com/sitemap/", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "103.224.212.34 scanning_host" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "American International" ], "malware_families": [ "Dark power", "Swisyn", "Redline", "Laplasclipper", "Maltiverse", "Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea", "Gen:variant.razy", "Sabey", "Pwndlocker", "Hallrender", "Death bitches", "Pegasus for android - mob-s0032", "Amazon aes", "Ramnit", "Pegasus for ios - s0289", "Relic", "Lolkek", "Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat", "Malicious.22a4c0", "Trojan.generic", "Neworder.doc", "Quasar rat", "Facebook ht", "Slfper:installcore", "Phish.ab", "Trojanspy", "Pws:msil/steam", "Trojan.html.agent", "Tsara brashears", "Appleservice", "Emotet", "Daisy coleman", "Remcos", "#lowfi:siga:trojanspy:msil/keylogger", "Dnspionage", "Generic.31fcc75f", "Vidar", "Azorult", "Worm:win32/netsky", "Gootloader", "Webtoolbar", "Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar", "Keyloggers", "Fonepaw", "Pegasus - mob-s0005", "Artemis", "Tulach malware", "Cobalt strike - s0154", "Trickbot - s0266", "Fusioncore", "Twitter malware", "Crack", "Gamehack.dr", "Ransomexx", "Cobalt strike", "#hstr:hacktool:win32/mimikatz", "Tel:trojan:win32/emotet", "Generic.malware", "Formbook", "Gen:variant.bulz", "Bit rat", "Networm", "Zbot", "Agent tesla - s0331", "Sdbot.caoc", "Chaos", "Milum", "Lockbit", "Qakbot", "Cve jar", "Qvm20.1.8d80.malware", "Sodin ransomware", "Skynet", "Ransomware", "Adwaresig [adw] ml.generic", "Alf:program:opencandy:remnant", "American international", "Proxy", "Dapato", "Tofsee", "Anonymizer", "Trojan", "Redline stealer", "Tel:delphi/obfuscator", "Icefog", "Adware.dropware", "W32.hack.generic", "Trojan:win32/detplock", "Tulach", "Raccoon", "Malware.generic", "Ml.generic", "Backdoor.mokes", "Dropper.binder", "Apple malware", "Trojan.ransom.generickd", "Trojan.ole2.vbs", "Gen:variant.zusy", "Maui ransomware" ], "industries": [ "Reinsurance", "Healthcare", "Travel" ], "unique_indicators": 145399 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/a-poster.info", "whois": "http://whois.domaintools.com/a-poster.info", "domain": "a-poster.info", "hostname": "www.work.a-poster.info" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6523344e4adc85389899504c", "name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]", "description": "", "modified": "2024-10-13T03:00:28.081000", "created": "2023-10-08T22:59:26.040000", "tags": [ "united", "contacted urls", "whois record", "contacted", "malicious site", "malware", "phishing site", "anonymizer", "heur", "control server", "facebook", "cobalt strike", "execution", "installcore", "phishing", "service", "core", "metro", "icmp", "hacktool", "download", "relic", "monitoring", "installer", "steam", "bank", "dnspionage", "crack", "unsafe", "ramnit", "emotet", "malware site", "proxy", "exploit", "fakealert", "team", "redline stealer", "laplasclipper", "cisco umbrella", "site", "safe site", "alexa top", "million", "alexa", "downloader", "opencandy", "generic", "presenoker", "maltiverse", "trojanspy", "date", "unknown", "windir", "markmonitor", "name server", "av detection", "september", "default browser", "guest system", "hybrid", "general", "click", "strings", "class", "critical", "blacklist", "union", "Embarcadero Delphi", "whois whois", "referrer", "ssl certificate", "communicating", "resolutions", "parent parent", "dropped", "stealer", "banker", "keylogger", "attack", "apple", "detection list", "ip address", "netsky", "firehol proxy", "noname057", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "FireHol", "Proxy", "Pexee", "Bank of America Corporation Malware Download", "CVE-2017-11882", "Alexa SANS Internet Storm Center", "MCI Verizon Block", "NaN" ], "references": [ "http://ww1.tsx.org/_fd", "https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)", "Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)", "http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)", "http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)", "Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)", "https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)", "firebaseremoteconfig.googleapis.com (remote hacking)", "remote.telegrafix.com (remote hacking)", "fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d", "remote.haverhillcc.com (remote hacking)", "http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "http://init-p01st.push.apple.com/bag (remote hacking)", "https://support.apple.com/en-us/HT201265. Targets (iOS ID)", "apple.com. (malicious version/header)", "https://www.apple.com/sitemap/", "https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)", "http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409", "init.ess.apple.com (remote hacking)", "applepaydayloans.com", "www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)", "https://applepaydayloans.com/", "https://sinister.ly/Thread-Apple-empty-box?page=13", "7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)", "https://support.Apple.com/de", "http://www.Apple.com/quicktime/download", "http://www.Apple.com/quicktime/download/standalone.html", "https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05", "https://www.roseoubleu.fr/panier (phishing)", "Roksit.net", "stagelight.pl (malicious/ pattern match)", "www.jamesbgriffinlaw.com (malicious host)", "Data Analytics", "Behavior Pattern Match Analysis", "45.159.189.105 (Command and Control)", "http://45.159.189.105/bot/regex (Bot Command)", "151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21", "AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server", "DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data", "(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "LaplasClipper", "display_name": "LaplasClipper", "target": null }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "SLFPER:InstallCore", "display_name": "SLFPER:InstallCore", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "ALF:Program:OpenCandy:Remnant", "display_name": "ALF:Program:OpenCandy:Remnant", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "generic.malware", "display_name": "generic.malware", "target": null }, { "id": "Anonymizer", "display_name": "Anonymizer", "target": null }, { "id": "#HSTR:HackTool:Win32/Mimikatz", "display_name": "#HSTR:HackTool:Win32/Mimikatz", "target": null }, { "id": "PWS:MSIL/Steam", "display_name": "PWS:MSIL/Steam", "target": "/malware/PWS:MSIL/Steam" }, { "id": "Trojan.HTML.Agent", "display_name": "Trojan.HTML.Agent", "target": null }, { "id": "Gen:Variant.Zusy", "display_name": "Gen:Variant.Zusy", "target": null }, { "id": "Worm:Win32/Netsky", "display_name": "Worm:Win32/Netsky", "target": "/malware/Worm:Win32/Netsky" }, { "id": "Sodin Ransomware", "display_name": "Sodin Ransomware", "target": null }, { "id": "Keyloggers", "display_name": "Keyloggers", "target": null }, { "id": "Proxy", "display_name": "Proxy", "target": null }, { "id": "TEL:Trojan:Win32/Emotet", "display_name": "TEL:Trojan:Win32/Emotet", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat", "target": null }, { "id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar", "target": null }, { "id": "AdwareSig [Adw] ml.Generic", "display_name": "AdwareSig [Adw] ml.Generic", "target": null }, { "id": "W32.Hack.Generic", "display_name": "W32.Hack.Generic", "target": null }, { "id": "Trojan.Ole2.Vbs", "display_name": "Trojan.Ole2.Vbs", "target": null }, { "id": "QVM20.1.8D80.Malware", "display_name": "QVM20.1.8D80.Malware", "target": null }, { "id": "Generic.Malware", "display_name": "Generic.Malware", "target": null }, { "id": "Backdoor.Mokes", "display_name": "Backdoor.Mokes", "target": null }, { "id": "AdWare.DropWare", "display_name": "AdWare.DropWare", "target": null }, { "id": "Gen:Variant.Razy", "display_name": "Gen:Variant.Razy", "target": null }, { "id": "Generic.31fcc75f", "display_name": "Generic.31fcc75f", "target": null }, { "id": "Trojan.Generic", "display_name": "Trojan.Generic", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "malware.generic", "display_name": "malware.generic", "target": null }, { "id": "Gen:Variant.Bulz", "display_name": "Gen:Variant.Bulz", "target": null }, { "id": "GameHack.DR", "display_name": "GameHack.DR", "target": null }, { "id": "Dropper.Binder", "display_name": "Dropper.Binder", "target": null }, { "id": "malicious.22a4c0", "display_name": "malicious.22a4c0", "target": null }, { "id": "SdBot.CAOC", "display_name": "SdBot.CAOC", "target": null }, { "id": "ml.Generic", "display_name": "ml.Generic", "target": null }, { "id": "Trojan.Ransom.GenericKD", "display_name": "Trojan.Ransom.GenericKD", "target": null }, { "id": "Phish.AB", "display_name": "Phish.AB", "target": null }, { "id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "6506b48d699080b4bfd334c5", "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7761, "CVE": 6, "FileHash-MD5": 285, "FileHash-SHA1": 165, "FileHash-SHA256": 5059, "domain": 987, "hostname": 2399 }, "indicator_count": 16662, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "810 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6558408d453f2ee72cb9537e", "name": "frigostInjector.exe", "description": "", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T04:41:49.188000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "655823a90db61fbeb599b736", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a90db61fbeb599b736", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:33.470000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655823a74460eb0f3e988a29", "name": "frigostInjector.exe", "description": "frigostInjector.exe\nFilehash SHA256:\n01518ea55a03fdad6f24c0614a46796d224c29f4ec96e69eacbfc7b14a921693\n\nhttp://kramtechnology.com/ \nServing as Metrobyt-mobile spyware", "modified": "2023-12-18T02:05:01.073000", "created": "2023-11-18T02:38:31.974000", "tags": [ "ssl certificate", "contacted", "whois record", "pe resource", "malware", "network", "highly targeted", "unauthorized", "wannacry kill", "switch dns", "cyberwar", "emotet", "critical", "copy", "attack", "neworder.doc", "milum", "url https", "url http", "type33554433", "guid", "smauthreason0", "methodget", "targetsmhttps", "months ago", "scan endpoints", "all search", "date", "next", "urls", "ip detections", "country", "registrar", "cloudflare", "win32 dll", "file size", "file type", "sha256", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "ms windows", "intel", "trid generic", "sections", "streams size", "entropy chi2", "blob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "Milum", "display_name": "Milum", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 88, "FileHash-SHA1": 80, "FileHash-SHA256": 204, "URL": 266, "CVE": 1, "domain": 200, "hostname": 93, "email": 1 }, "indicator_count": 933, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "854 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.work.a-poster.info", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.work.a-poster.info", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776664319.9236727 }