{
"type": "URL",
"indicator": "https://www.youtube.fr",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://www.youtube.fr",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 2859724663,
"indicator": "https://www.youtube.fr",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 17,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c6026160a826c170a8ce93",
"name": "Mira - Targeted attacks that demolished victim/s Media Platforms",
"description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed",
"modified": "2025-10-13T22:27:44.477000",
"created": "2025-09-13T23:46:41.355000",
"tags": [
"http traffic",
"iframe src",
"https http",
"re att",
"access ta0001",
"t1189 severity",
"info found",
"command",
"control ta0011",
"protocol t1071",
"info",
"resolved ips",
"ip traffic",
"pattern domains",
"pattern urls",
"tls sni",
"get http",
"dns resolutions",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"user",
"rules not",
"registry keys",
"detections not",
"found mitre",
"info ids",
"sandbox",
"number",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"ip address",
"port",
"http",
"url data",
"accept",
"gmt ifnonematch",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"udp connections",
"http requests",
"cname",
"nxdomain",
"involved direct",
"country name",
"parent pid",
"full path",
"command line",
"t1055 process",
"layer protocol",
"access t1189",
"defense evasion",
"discovery t1082",
"control t1573",
"youtube",
"spotify",
"spotify",
"colorado blows"
],
"references": [
"https://forward.ro/",
"https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh",
"http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Colorado corruption will be exposed one day.",
"Discovery of targets pirated music led to her website down the next day! After 9 years?",
"These greedy people & government grifters steal money from victims, including life insurance policies",
"Stop following targets relatives everywhere , associates. Stop circling former residence..",
"Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary",
"Targets mother died in her bed in Castke Rock, Douglasc County, Colorado",
"Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.",
"Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .",
"This information was brought to target by concerned entities who handled body.",
"Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.",
"First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.",
"Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.",
"Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "All",
"display_name": "All",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Government",
"Financial",
"Media",
"Targets"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 781,
"hostname": 339,
"FileHash-SHA256": 697,
"FileHash-MD5": 112,
"domain": 152,
"FileHash-SHA1": 2
},
"indicator_count": 2083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6694bb9be1b61bf820500004",
"name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet",
"description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.",
"modified": "2024-08-14T05:03:59.815000",
"created": "2024-07-15T06:03:07.423000",
"tags": [
"historical ssl",
"referrer",
"december",
"sneaky server",
"replacement",
"unauthorized",
"high level",
"hackers",
"highly targeted",
"cyber attack",
"emotet",
"critical",
"copy",
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"pragma",
"form",
"hope",
"karma",
"learn",
"suspicious",
"flag",
"pe resource",
"synaptics",
"apeaksoft ios",
"hiddentear",
"urls",
"domains",
"contacted",
"markmonitor",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"youtube bot",
"rar jays",
"mozilla firefox",
"twitch",
"samplename",
"rar youtube",
"zip youtube",
"social bots",
"files",
"file type",
"kb file",
"b file",
"graph",
"get https",
"msie",
"windows nt",
"win64",
"slcc2",
"media center",
"request",
"gmt server",
"referer https",
"amd64 accept",
"accept",
"code",
"rwx memory",
"managed code",
"calls unmanaged",
"native",
"often seen",
"base64 encrypt",
"trojan",
"tsara brashears",
"red team hacking",
"process32nextw",
"regsetvalueexa",
"regdword",
"high",
"medium",
"objects",
"regbinary",
"module load",
"t1129",
"t1060",
"crash",
"dock",
"persistence",
"execution",
"okhfjrtblzo",
"ip check",
"windows",
"http host",
"controlservice",
"domain",
"registry",
"tools",
"service",
"worm",
"malware",
"win32",
"bits",
"read c",
"intel",
"ms windows",
"pe32",
"search",
"type read",
"show",
"wow64",
"stop",
"write",
"unknown",
"waiting",
"push",
"next",
"asnone united",
"aaaa",
"united kingdom",
"as20738 host",
"moved",
"passive dns",
"default",
"delete c",
"pe32 executable",
"document file",
"v2 document",
"floodfix",
"floxif",
"name servers",
"susp",
"showing",
"as55286",
"scan endpoints",
"all scoreblue",
"ransom",
"amadey",
"songculture",
"spreader",
"tracey richter",
"roberts",
"michael roberts",
"jays",
"sabey",
"rexxfield",
"darklivity"
],
"references": [
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Ransom: message.htm.com",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor.Xtreme",
"display_name": "Backdoor.Xtreme",
"target": null
},
{
"id": "W32.AIDetectMalware.CS",
"display_name": "W32.AIDetectMalware.CS",
"target": null
},
{
"id": "Win.Virus.Pioneer-9111434-0",
"display_name": "Win.Virus.Pioneer-9111434-0",
"target": null
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win32:Renos-KY\\ [Trj]",
"display_name": "Win32:Renos-KY\\ [Trj]",
"target": null
},
{
"id": ", Win.Worm.Pykspa-6057105-0",
"display_name": ", Win.Worm.Pykspa-6057105-0",
"target": null
},
{
"id": "Worm:Win32/Pykspa.C",
"display_name": "Worm:Win32/Pykspa.C",
"target": "/malware/Worm:Win32/Pykspa.C"
},
{
"id": "PUP/Hacktool",
"display_name": "PUP/Hacktool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 439,
"FileHash-SHA1": 386,
"FileHash-SHA256": 2320,
"URL": 1873,
"domain": 478,
"hostname": 839,
"SSLCertFingerprint": 9,
"email": 7
},
"indicator_count": 6351,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6692cf0e2273bb06aa43e43c",
"name": "Banker: Through The Nights - YouTube | Errors |",
"description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.",
"modified": "2024-08-12T18:02:56.458000",
"created": "2024-07-13T19:01:34.484000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"low risk",
"domain",
"no malware",
"found",
"site",
"ip address",
"google network",
"unknown",
"low security",
"risk",
"hacked",
"protect",
"path",
"secure",
"httponly",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"samesitenone",
"http response",
"final url",
"status code",
"body length",
"kb body",
"pragma",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"jess",
"tsara brashears",
"zafira songs",
"youtube og",
"hope",
"html info",
"meta tags",
"data",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"llc cngts",
"validity",
"subject public",
"key info",
"key algorithm",
"name",
"whois lookup",
"create date",
"expiry date",
"query time",
"update date",
"update",
"passive dns",
"gmt content",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"urls",
"files",
"related pulses",
"error",
"code",
"algorithm",
"first"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 3,
"FileHash-SHA256": 343,
"SSLCertFingerprint": 8,
"URL": 333,
"domain": 69,
"hostname": 165
},
"indicator_count": 924,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65eadaae65b9123721198d08",
"name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)",
"description": "",
"modified": "2024-04-06T23:03:19.046000",
"created": "2024-03-08T09:30:22.295000",
"tags": [
"methodpost",
"threat",
"iocs",
"urls http",
"samples",
"cnc",
"phishing",
"ransom",
"emotet",
"fraud services",
"command _and_control",
"trojan",
"scanning host",
"active threat",
"malicious",
"date hash",
"avast avg",
"susp",
"win32",
"paste",
"hostnames",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"headers date",
"connection",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"ovh sas",
"export",
"summary iocs",
"graph community",
"limited",
"yotta network",
"gvb gelimed",
"kb microsoft",
"indonesia",
"kyriazhs1975",
"vj79",
"bc https",
"rexxfield",
"brian sabey",
"as21342",
"united",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"msie",
"chrome",
"creation date",
"search",
"dnssec",
"entries",
"body",
"date",
"as63949 linode",
"mtb feb",
"checkin m1",
"gmt content",
"type",
"encrypt",
"trojan",
"artro",
"moved",
"pulse pulses",
"yotta data",
"yotta",
"private limited",
"india",
"limited yotta",
"number",
"as140641",
"network",
"facebook",
"info",
"cisco umbrella",
"site",
"alexa top",
"site top",
"million",
"safe site",
"million alexa",
"site safe",
"cobalt strike",
"malicious url",
"blacknet rat",
"union",
"vidar",
"malware",
"stealer",
"bank",
"alexa",
"deepscan",
"phishing",
"team",
"super",
"blacknet",
"babar",
"detection list",
"blacklist http",
"sample",
"submission",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"kb body",
"path",
"as396982 google",
"bq mar",
"win32cve mar",
"exploit",
"virtool",
"status",
"name servers",
"emails",
"servers",
"next",
"files",
"as44273 host",
"germany unknown",
"expiration date",
"showing",
"win32upatre mar",
"milehighmedia",
"ids detections",
"possible fake",
"av checkin",
"initial checkin",
"checkin",
"utah data",
"center",
"june",
"data center",
"responsible",
"nsa utah",
"march",
"closeup view",
"july",
"view",
"february",
"prism",
"cascade",
"darpa",
"twitter",
"as20940",
"aaaa",
"as16625 akamai",
"nxdomain",
"whitelisted",
"domain",
"as54113",
"msil",
"cryp",
"files show",
"entries related",
"domains",
"as15169 google",
"gmt cache",
"sameorigin",
"trojandropper",
"asnone united",
"title error",
"porkbun",
"mtb mar",
"trojanspy",
"installer",
"loader",
"hijacker",
"targeting",
"as30456",
"sec ch",
"for privacy",
"ch ua",
"hash avast",
"avg clamav",
"msdefender mar",
"lowfi",
"dns replication",
"ip detections",
"country",
"contacted",
"graph",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"file size",
"open threat",
"learn",
"html info",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"manager anchor",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"google",
"amazon ec2",
"email",
"city",
"server",
"amazon data",
"amazon",
"code",
"form",
"po box",
"tech",
"show",
"description ype",
"collections",
"partru",
"execution",
"fake host"
],
"references": [
"Part II -Some users OTX accounts connected to the following | Unexpected revelation |",
"Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/",
"go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...",
"https://www.milehighmedia.com/legal/2257",
"http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://schoolcare.dyndns.org/soap/ISCKeyUpdater",
"http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |",
"hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/",
"http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg",
"CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212",
"Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO",
"https://nsa.gov1.info/utah-data-center",
"https://softwaremill.com/grpc-vs-rest/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Arab Emirates"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
},
{
"id": "Crypt3.BWVY",
"display_name": "Crypt3.BWVY",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Dropper.Generic_r.EC",
"display_name": "Dropper.Generic_r.EC",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "ALF:Trojan:Win32/Zbot",
"display_name": "ALF:Trojan:Win32/Zbot",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1605",
"name": "Command-Line Interface",
"display_name": "T1605 - Command-Line Interface"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology",
"Financial"
],
"TLP": "white",
"cloned_from": "65ea56ae1992b02a25aa5c51",
"export_count": 63,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6765,
"FileHash-MD5": 688,
"FileHash-SHA1": 422,
"FileHash-SHA256": 3169,
"domain": 2171,
"hostname": 1714,
"email": 11,
"CVE": 2,
"CIDR": 2
},
"indicator_count": 14944,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "743 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea56ae1992b02a25aa5c51",
"name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network",
"description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.",
"modified": "2024-04-06T23:03:19.046000",
"created": "2024-03-08T00:07:10.521000",
"tags": [
"methodpost",
"threat",
"iocs",
"urls http",
"samples",
"cnc",
"phishing",
"ransom",
"emotet",
"fraud services",
"command _and_control",
"trojan",
"scanning host",
"active threat",
"malicious",
"date hash",
"avast avg",
"susp",
"win32",
"paste",
"hostnames",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"headers date",
"connection",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"ovh sas",
"export",
"summary iocs",
"graph community",
"limited",
"yotta network",
"gvb gelimed",
"kb microsoft",
"indonesia",
"kyriazhs1975",
"vj79",
"bc https",
"rexxfield",
"brian sabey",
"as21342",
"united",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"msie",
"chrome",
"creation date",
"search",
"dnssec",
"entries",
"body",
"date",
"as63949 linode",
"mtb feb",
"checkin m1",
"gmt content",
"type",
"encrypt",
"trojan",
"artro",
"moved",
"pulse pulses",
"yotta data",
"yotta",
"private limited",
"india",
"limited yotta",
"number",
"as140641",
"network",
"facebook",
"info",
"cisco umbrella",
"site",
"alexa top",
"site top",
"million",
"safe site",
"million alexa",
"site safe",
"cobalt strike",
"malicious url",
"blacknet rat",
"union",
"vidar",
"malware",
"stealer",
"bank",
"alexa",
"deepscan",
"phishing",
"team",
"super",
"blacknet",
"babar",
"detection list",
"blacklist http",
"sample",
"submission",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"kb body",
"path",
"as396982 google",
"bq mar",
"win32cve mar",
"exploit",
"virtool",
"status",
"name servers",
"emails",
"servers",
"next",
"files",
"as44273 host",
"germany unknown",
"expiration date",
"showing",
"win32upatre mar",
"milehighmedia",
"ids detections",
"possible fake",
"av checkin",
"initial checkin",
"checkin",
"utah data",
"center",
"june",
"data center",
"responsible",
"nsa utah",
"march",
"closeup view",
"july",
"view",
"february",
"prism",
"cascade",
"darpa",
"twitter",
"as20940",
"aaaa",
"as16625 akamai",
"nxdomain",
"whitelisted",
"domain",
"as54113",
"msil",
"cryp",
"files show",
"entries related",
"domains",
"as15169 google",
"gmt cache",
"sameorigin",
"trojandropper",
"asnone united",
"title error",
"porkbun",
"mtb mar",
"trojanspy",
"installer",
"loader",
"hijacker",
"targeting",
"as30456",
"sec ch",
"for privacy",
"ch ua",
"hash avast",
"avg clamav",
"msdefender mar",
"lowfi",
"dns replication",
"ip detections",
"country",
"contacted",
"graph",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"file size",
"open threat",
"learn",
"html info",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"manager anchor",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"google",
"amazon ec2",
"email",
"city",
"server",
"amazon data",
"amazon",
"code",
"form",
"po box",
"tech",
"show",
"description ype",
"collections",
"partru",
"execution",
"fake host"
],
"references": [
"Part II -Some users OTX accounts connected to the following | Unexpected revelation |",
"Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/",
"go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...",
"https://www.milehighmedia.com/legal/2257",
"http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://schoolcare.dyndns.org/soap/ISCKeyUpdater",
"http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |",
"hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/",
"http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg",
"CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212",
"Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO",
"https://nsa.gov1.info/utah-data-center",
"https://softwaremill.com/grpc-vs-rest/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Arab Emirates"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
},
{
"id": "Crypt3.BWVY",
"display_name": "Crypt3.BWVY",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Dropper.Generic_r.EC",
"display_name": "Dropper.Generic_r.EC",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "ALF:Trojan:Win32/Zbot",
"display_name": "ALF:Trojan:Win32/Zbot",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1605",
"name": "Command-Line Interface",
"display_name": "T1605 - Command-Line Interface"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology",
"Financial"
],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6765,
"FileHash-MD5": 688,
"FileHash-SHA1": 422,
"FileHash-SHA256": 3169,
"domain": 2171,
"hostname": 1714,
"email": 11,
"CVE": 2,
"CIDR": 2
},
"indicator_count": 14944,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "743 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65709a0e8c20860fea88779a",
"name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81",
"description": "",
"modified": "2023-12-06T15:58:06.293000",
"created": "2023-12-06T15:58:06.293000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3624,
"FileHash-SHA256": 1584,
"domain": 871,
"hostname": 1290,
"FileHash-MD5": 20,
"FileHash-SHA1": 20
},
"indicator_count": 7409,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708f0647d0fcade949cf5d",
"name": "Samantha Borrego search using unknown extra twitter account id Samantha Borrego ID: 18ce54vevpn",
"description": "",
"modified": "2023-12-06T15:11:02.240000",
"created": "2023-12-06T15:11:02.240000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 502,
"hostname": 172,
"URL": 694,
"domain": 111,
"FileHash-MD5": 245,
"FileHash-SHA1": 165
},
"indicator_count": 1889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089f0a9a109319e652f2e",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2023-12-06T14:49:20.276000",
"created": "2023-12-06T14:49:20.276000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 3788,
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657089d7a9a109319e652f2d",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2023-12-06T14:48:55.889000",
"created": "2023-12-06T14:48:55.889000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 3611,
"URL": 9861,
"hostname": 2031,
"domain": 945,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6451ac22105fabd34fbdf476",
"name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81",
"description": "Albert Hill fake profile has 1 follower and 1 follow. the one follow has this url in the p rofile",
"modified": "2023-05-03T00:34:42.633000",
"created": "2023-05-03T00:34:42.633000",
"tags": [
"entity"
],
"references": [
"https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9",
"g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3624,
"FileHash-SHA256": 1584,
"hostname": 1290,
"domain": 871,
"IPv4": 95,
"FileHash-MD5": 20,
"FileHash-SHA1": 20
},
"indicator_count": 7504,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1082 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "628fb2595df81daed7c2591f",
"name": "Samantha Borrego search using unknown extra twitter account id Samantha Borrego ID: 18ce54vevpn",
"description": "Seriously fucked up clever shit.... this is what those wankers ruin your life for",
"modified": "2022-06-25T00:02:42.269000",
"created": "2022-05-26T17:01:13.683000",
"tags": [
"Samantha Borrego ID: 18ce54vevpn",
"https://www.virustotal.com/graph/ge1933ce84783477284db3bd89196fb"
],
"references": [
"ge1933ce84783477284db3bd89196fb410e09c51ca3ac4ca986cc943ccbece636.json",
"Samantha Borrego ID: 18ce54vevpn",
"VT graph creation with download of MISP upload to otx",
"https://www.virustotal.com/graph/ge1933ce84783477284db3bd89196fb410e09c51ca3ac4ca986cc943ccbece636"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 694,
"domain": 111,
"FileHash-SHA256": 502,
"hostname": 172,
"FileHash-MD5": 245,
"FileHash-SHA1": 165
},
"indicator_count": 1889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 392,
"modified_text": "1395 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623b7febb8bc01a01e42ab3d",
"name": "Democracy.works_3.23.22",
"description": "",
"modified": "2022-04-22T00:03:50.614000",
"created": "2022-03-23T20:15:39.720000",
"tags": [],
"references": [
"Democracy.works_3.23.22..pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10812,
"hostname": 2537,
"domain": 1018,
"FileHash-SHA256": 3788,
"CVE": 2,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 18160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 412,
"modified_text": "1459 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "623920a2146150d2d8525a73",
"name": "DEMOCRACY.WORKS",
"description": "",
"modified": "2022-04-20T00:02:21.571000",
"created": "2022-03-22T01:04:34.472000",
"tags": [],
"references": [
"DEMOCRACY.WORKS.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9861,
"domain": 945,
"hostname": 2031,
"FileHash-SHA256": 3611,
"CVE": 1,
"FileHash-MD5": 2,
"FileHash-SHA1": 1
},
"indicator_count": 16452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 414,
"modified_text": "1461 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.",
"FormBook: http://45.159.189.105/bot/regex",
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://es.pornhat.com/models/the-sex-creator/",
"Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://forward.ro/",
"I am very upset. Whoever is doing this is sick.",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://www.virustotal.com/graph/ge1933ce84783477284db3bd89196fb410e09c51ca3ac4ca986cc943ccbece636",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"https://www.virustotal.com/graph/g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9",
"capitana.onthewifi.com",
"Samantha Borrego ID: 18ce54vevpn",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"These greedy people & government grifters steal money from victims, including life insurance policies",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"ge1933ce84783477284db3bd89196fb410e09c51ca3ac4ca986cc943ccbece636.json",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"VT graph creation with download of MISP upload to otx",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Colorado corruption will be exposed one day.",
"http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Targets mother died in her bed in Castke Rock, Douglasc County, Colorado",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"g5cc372545fb241bdab97ceedfdc72d87d6ec1e42c9a545ae9f824ed1e99521d9.json",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"Part II -Some users OTX accounts connected to the following | Unexpected revelation |",
"Democracy.works_3.23.22..pdf",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"iamrobert.com Y.A.S.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...",
"https://softwaremill.com/grpc-vs-rest/",
"Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.",
"Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target.",
"Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"This information was brought to target by concerned entities who handled body.",
"https://www.milehighmedia.com/legal/2257",
"Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary",
"Stop following targets relatives everywhere , associates. Stop circling former residence..",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Target agreed and complied with all lie detector measures.",
"There is fear in silence or speaking out",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"Can the DoD no questions asked target a SA victim",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"FormBook: 45.159.189.105",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"If someone is believed to be a threat they have right to due process.",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/",
"http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh",
"https://meumundogay-com.sexogratis.page/locker",
"First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"DEMOCRACY.WORKS.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"https://nsa.gov1.info/utah-data-center",
"http://schoolcare.dyndns.org/soap/ISCKeyUpdater",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg",
"Discovery of targets pirated music led to her website down the next day! After 9 years?",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Ransom: message.htm.com",
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Worm:win32/mofksys.rnd!mtb",
"Win32:malware-gen",
"Artro",
"Trojanspy:win32/nivdort.cw",
"Win32:cryptor",
"Trojan:win32/floxif.e",
"Blacknet",
"Malware",
"Win32:botx-gen\\ [trj]",
"Win32:renos-ky\\ [trj]",
"Crypt3.bwvy",
"Alf:trojan:win32/zbot",
"Apnic",
"Win32:trojan-gen",
"Emotet",
"Virtool:win32/injector.gen!bq",
"Trojanspy",
"Win.virus.polyransom-5704625-0",
"Slf:trojan:win32/grandoreiro.a",
"#virtool:win32/obfuscator.adb",
"Dropper.generic_r.ec",
"Androidoverlaymalware - mob-s0012",
"#lowfi:lua:autoitv3craftedoverlay",
"Backdoor.xtreme",
"Win.virus.pioneer-9111434-0",
"Trojan:win32/glupteba.km!mtb",
", win.worm.pykspa-6057105-0",
"All",
"Virus:win32/floxif.h",
"Pup/hacktool",
"Babar",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"W32.aidetectmalware.cs",
"Worm:win32/pykspa.c"
],
"industries": [
"Media",
"Financial",
"Civil society",
"Targets",
"Technology",
"Government",
"Telecommunications"
],
"unique_indicators": 77804
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/youtube.fr",
"whois": "http://whois.domaintools.com/youtube.fr",
"domain": "youtube.fr",
"hostname": "www.youtube.fr"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 17,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c6026160a826c170a8ce93",
"name": "Mira - Targeted attacks that demolished victim/s Media Platforms",
"description": "Targeted attacks that demolished victim/s Media Platforms. \nDangerous crowd, bullied till the end, murder attempted hit by a vehicle many times on a one way. 22 year old who walked after attempting to drive her off I-25 Denver. Suffered more life threatening injuries. \nMonitored target. Crime: unwilling female trapped under nasty physical therapists crotch. No charges, no questions. No treatments except one SCI surgery that was 5 years too late. \nDenver is nuts. Denver law enforcement , quasi government , CBI & attorneys are corrupted. There\u2019s something to the wicked DIA theories. I wonder how many others have been silenced to death behind corporate greed. The PT who caused all\nof this is thoroughly treated as a victim. Family moved to safety? She was never the threat. TLB will always rest assured sheltered in the arms of God like she believed.\n#theft #rip #paypal #drive-by_compromise #mira #spotify #youtube #trulymissed",
"modified": "2025-10-13T22:27:44.477000",
"created": "2025-09-13T23:46:41.355000",
"tags": [
"http traffic",
"iframe src",
"https http",
"re att",
"access ta0001",
"t1189 severity",
"info found",
"command",
"control ta0011",
"protocol t1071",
"info",
"resolved ips",
"ip traffic",
"pattern domains",
"pattern urls",
"tls sni",
"get http",
"dns resolutions",
"windows nt",
"win64",
"khtml",
"gecko",
"response",
"user",
"rules not",
"registry keys",
"detections not",
"found mitre",
"info ids",
"sandbox",
"number",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"ip address",
"port",
"http",
"url data",
"accept",
"gmt ifnonematch",
"network dropped",
"duration cuckoo",
"version file",
"machine label",
"manager",
"shutdown",
"udp connections",
"http requests",
"cname",
"nxdomain",
"involved direct",
"country name",
"parent pid",
"full path",
"command line",
"t1055 process",
"layer protocol",
"access t1189",
"defense evasion",
"discovery t1082",
"control t1573",
"youtube",
"spotify",
"spotify",
"colorado blows"
],
"references": [
"https://forward.ro/",
"https://vtbehaviour.commondatastorage.googleapis.com/db4e2e018a3e7f1227d7ee73590290cbd2c5f85083d7d2cd2bfbfce2d86bc85b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1757802136&Signature=ZMB94nTTqlBqbckg%2Bto3APyffn72wQ8c%2BtAJCCTNE3HE7lF3WYAXyjdMPB0xKY6TVdQIXYiGj6C8cK925JJttjjW91Be%2BG5oJQ2Tkmou66cPgSgOdOAQEKXq2RNXSvvZUTKgJSbxJritEPsUDcE%2FOZrDG1fY%2FtVq7cxQdLdhKacpB%2FiFLNzlcCWDCLJtwGhyRwoESchlxvvy%2Bazy40CNs35Eiw1rci3tBqQS97F7mBV1GnSrz%2FFZKh",
"http://clients2.google.com/time/1/current?cup2key=8:ZnsjfqkCHZe8ziQKNl-PZVHX2EXyFv9m6Q0Dnd_a_t8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"Colorado corruption will be exposed one day.",
"Discovery of targets pirated music led to her website down the next day! After 9 years?",
"These greedy people & government grifters steal money from victims, including life insurance policies",
"Stop following targets relatives everywhere , associates. Stop circling former residence..",
"Targets mother passed in 2014. So much malicious activity obituary had to be taken down when hackers put target in obituary",
"Targets mother died in her bed in Castke Rock, Douglasc County, Colorado",
"Moms body moved by Douglas County to Jefferson County after cause of death ruled natural causes.",
"Jefferson County, Coroner falsely states Mom died in car accident in Lakewood on death certificate .",
"This information was brought to target by concerned entities who handled body.",
"Off subject: Don\u2019t try to kill Tucker Carlson for asking valid questions about an apparent murder Sam.",
"First they discredit you, wear you down mentally , hunt you down , then\u2026.They have to deal with God.",
"Sorry! I can\u2019t help being upset about the unfairness of this constant cruel harassment.",
"Jeffrey Scott Reiner was considered a skilled predator by Bryan Counts MD. He later attacked target."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "All",
"display_name": "All",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Government",
"Financial",
"Media",
"Targets"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 781,
"hostname": 339,
"FileHash-SHA256": 697,
"FileHash-MD5": 112,
"domain": 152,
"FileHash-SHA1": 2
},
"indicator_count": 2083,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "188 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6694bb9be1b61bf820500004",
"name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet",
"description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.",
"modified": "2024-08-14T05:03:59.815000",
"created": "2024-07-15T06:03:07.423000",
"tags": [
"historical ssl",
"referrer",
"december",
"sneaky server",
"replacement",
"unauthorized",
"high level",
"hackers",
"highly targeted",
"cyber attack",
"emotet",
"critical",
"copy",
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"pragma",
"form",
"hope",
"karma",
"learn",
"suspicious",
"flag",
"pe resource",
"synaptics",
"apeaksoft ios",
"hiddentear",
"urls",
"domains",
"contacted",
"markmonitor",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"youtube bot",
"rar jays",
"mozilla firefox",
"twitch",
"samplename",
"rar youtube",
"zip youtube",
"social bots",
"files",
"file type",
"kb file",
"b file",
"graph",
"get https",
"msie",
"windows nt",
"win64",
"slcc2",
"media center",
"request",
"gmt server",
"referer https",
"amd64 accept",
"accept",
"code",
"rwx memory",
"managed code",
"calls unmanaged",
"native",
"often seen",
"base64 encrypt",
"trojan",
"tsara brashears",
"red team hacking",
"process32nextw",
"regsetvalueexa",
"regdword",
"high",
"medium",
"objects",
"regbinary",
"module load",
"t1129",
"t1060",
"crash",
"dock",
"persistence",
"execution",
"okhfjrtblzo",
"ip check",
"windows",
"http host",
"controlservice",
"domain",
"registry",
"tools",
"service",
"worm",
"malware",
"win32",
"bits",
"read c",
"intel",
"ms windows",
"pe32",
"search",
"type read",
"show",
"wow64",
"stop",
"write",
"unknown",
"waiting",
"push",
"next",
"asnone united",
"aaaa",
"united kingdom",
"as20738 host",
"moved",
"passive dns",
"default",
"delete c",
"pe32 executable",
"document file",
"v2 document",
"floodfix",
"floxif",
"name servers",
"susp",
"showing",
"as55286",
"scan endpoints",
"all scoreblue",
"ransom",
"amadey",
"songculture",
"spreader",
"tracey richter",
"roberts",
"michael roberts",
"jays",
"sabey",
"rexxfield",
"darklivity"
],
"references": [
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Ransom: message.htm.com",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor.Xtreme",
"display_name": "Backdoor.Xtreme",
"target": null
},
{
"id": "W32.AIDetectMalware.CS",
"display_name": "W32.AIDetectMalware.CS",
"target": null
},
{
"id": "Win.Virus.Pioneer-9111434-0",
"display_name": "Win.Virus.Pioneer-9111434-0",
"target": null
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win32:Renos-KY\\ [Trj]",
"display_name": "Win32:Renos-KY\\ [Trj]",
"target": null
},
{
"id": ", Win.Worm.Pykspa-6057105-0",
"display_name": ", Win.Worm.Pykspa-6057105-0",
"target": null
},
{
"id": "Worm:Win32/Pykspa.C",
"display_name": "Worm:Win32/Pykspa.C",
"target": "/malware/Worm:Win32/Pykspa.C"
},
{
"id": "PUP/Hacktool",
"display_name": "PUP/Hacktool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 439,
"FileHash-SHA1": 386,
"FileHash-SHA256": 2320,
"URL": 1873,
"domain": 478,
"hostname": 839,
"SSLCertFingerprint": 9,
"email": 7
},
"indicator_count": 6351,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6692cf0e2273bb06aa43e43c",
"name": "Banker: Through The Nights - YouTube | Errors |",
"description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.",
"modified": "2024-08-12T18:02:56.458000",
"created": "2024-07-13T19:01:34.484000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"low risk",
"domain",
"no malware",
"found",
"site",
"ip address",
"google network",
"unknown",
"low security",
"risk",
"hacked",
"protect",
"path",
"secure",
"httponly",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"samesitenone",
"http response",
"final url",
"status code",
"body length",
"kb body",
"pragma",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"jess",
"tsara brashears",
"zafira songs",
"youtube og",
"hope",
"html info",
"meta tags",
"data",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"llc cngts",
"validity",
"subject public",
"key info",
"key algorithm",
"name",
"whois lookup",
"create date",
"expiry date",
"query time",
"update date",
"update",
"passive dns",
"gmt content",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"urls",
"files",
"related pulses",
"error",
"code",
"algorithm",
"first"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 3,
"FileHash-SHA256": 343,
"SSLCertFingerprint": 8,
"URL": 333,
"domain": 69,
"hostname": 165
},
"indicator_count": 924,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65eadaae65b9123721198d08",
"name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)",
"description": "",
"modified": "2024-04-06T23:03:19.046000",
"created": "2024-03-08T09:30:22.295000",
"tags": [
"methodpost",
"threat",
"iocs",
"urls http",
"samples",
"cnc",
"phishing",
"ransom",
"emotet",
"fraud services",
"command _and_control",
"trojan",
"scanning host",
"active threat",
"malicious",
"date hash",
"avast avg",
"susp",
"win32",
"paste",
"hostnames",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"headers date",
"connection",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"ovh sas",
"export",
"summary iocs",
"graph community",
"limited",
"yotta network",
"gvb gelimed",
"kb microsoft",
"indonesia",
"kyriazhs1975",
"vj79",
"bc https",
"rexxfield",
"brian sabey",
"as21342",
"united",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"msie",
"chrome",
"creation date",
"search",
"dnssec",
"entries",
"body",
"date",
"as63949 linode",
"mtb feb",
"checkin m1",
"gmt content",
"type",
"encrypt",
"trojan",
"artro",
"moved",
"pulse pulses",
"yotta data",
"yotta",
"private limited",
"india",
"limited yotta",
"number",
"as140641",
"network",
"facebook",
"info",
"cisco umbrella",
"site",
"alexa top",
"site top",
"million",
"safe site",
"million alexa",
"site safe",
"cobalt strike",
"malicious url",
"blacknet rat",
"union",
"vidar",
"malware",
"stealer",
"bank",
"alexa",
"deepscan",
"phishing",
"team",
"super",
"blacknet",
"babar",
"detection list",
"blacklist http",
"sample",
"submission",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"kb body",
"path",
"as396982 google",
"bq mar",
"win32cve mar",
"exploit",
"virtool",
"status",
"name servers",
"emails",
"servers",
"next",
"files",
"as44273 host",
"germany unknown",
"expiration date",
"showing",
"win32upatre mar",
"milehighmedia",
"ids detections",
"possible fake",
"av checkin",
"initial checkin",
"checkin",
"utah data",
"center",
"june",
"data center",
"responsible",
"nsa utah",
"march",
"closeup view",
"july",
"view",
"february",
"prism",
"cascade",
"darpa",
"twitter",
"as20940",
"aaaa",
"as16625 akamai",
"nxdomain",
"whitelisted",
"domain",
"as54113",
"msil",
"cryp",
"files show",
"entries related",
"domains",
"as15169 google",
"gmt cache",
"sameorigin",
"trojandropper",
"asnone united",
"title error",
"porkbun",
"mtb mar",
"trojanspy",
"installer",
"loader",
"hijacker",
"targeting",
"as30456",
"sec ch",
"for privacy",
"ch ua",
"hash avast",
"avg clamav",
"msdefender mar",
"lowfi",
"dns replication",
"ip detections",
"country",
"contacted",
"graph",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"file size",
"open threat",
"learn",
"html info",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"manager anchor",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"google",
"amazon ec2",
"email",
"city",
"server",
"amazon data",
"amazon",
"code",
"form",
"po box",
"tech",
"show",
"description ype",
"collections",
"partru",
"execution",
"fake host"
],
"references": [
"Part II -Some users OTX accounts connected to the following | Unexpected revelation |",
"Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/",
"go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...",
"https://www.milehighmedia.com/legal/2257",
"http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://schoolcare.dyndns.org/soap/ISCKeyUpdater",
"http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |",
"hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/",
"http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg",
"CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212",
"Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO",
"https://nsa.gov1.info/utah-data-center",
"https://softwaremill.com/grpc-vs-rest/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Arab Emirates"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
},
{
"id": "Crypt3.BWVY",
"display_name": "Crypt3.BWVY",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Dropper.Generic_r.EC",
"display_name": "Dropper.Generic_r.EC",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "ALF:Trojan:Win32/Zbot",
"display_name": "ALF:Trojan:Win32/Zbot",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1605",
"name": "Command-Line Interface",
"display_name": "T1605 - Command-Line Interface"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology",
"Financial"
],
"TLP": "white",
"cloned_from": "65ea56ae1992b02a25aa5c51",
"export_count": 63,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6765,
"FileHash-MD5": 688,
"FileHash-SHA1": 422,
"FileHash-SHA256": 3169,
"domain": 2171,
"hostname": 1714,
"email": 11,
"CVE": 2,
"CIDR": 2
},
"indicator_count": 14944,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "743 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea56ae1992b02a25aa5c51",
"name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network",
"description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.",
"modified": "2024-04-06T23:03:19.046000",
"created": "2024-03-08T00:07:10.521000",
"tags": [
"methodpost",
"threat",
"iocs",
"urls http",
"samples",
"cnc",
"phishing",
"ransom",
"emotet",
"fraud services",
"command _and_control",
"trojan",
"scanning host",
"active threat",
"malicious",
"date hash",
"avast avg",
"susp",
"win32",
"paste",
"hostnames",
"http response",
"final url",
"ip address",
"status code",
"body length",
"b body",
"headers date",
"connection",
"first",
"utc submissions",
"submitters",
"computer",
"company limited",
"gandi sas",
"ovh sas",
"export",
"summary iocs",
"graph community",
"limited",
"yotta network",
"gvb gelimed",
"kb microsoft",
"indonesia",
"kyriazhs1975",
"vj79",
"bc https",
"rexxfield",
"brian sabey",
"as21342",
"united",
"passive dns",
"unknown",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse submit",
"url analysis",
"urls",
"msie",
"chrome",
"creation date",
"search",
"dnssec",
"entries",
"body",
"date",
"as63949 linode",
"mtb feb",
"checkin m1",
"gmt content",
"type",
"encrypt",
"trojan",
"artro",
"moved",
"pulse pulses",
"yotta data",
"yotta",
"private limited",
"india",
"limited yotta",
"number",
"as140641",
"network",
"facebook",
"info",
"cisco umbrella",
"site",
"alexa top",
"site top",
"million",
"safe site",
"million alexa",
"site safe",
"cobalt strike",
"malicious url",
"blacknet rat",
"union",
"vidar",
"malware",
"stealer",
"bank",
"alexa",
"deepscan",
"phishing",
"team",
"super",
"blacknet",
"babar",
"detection list",
"blacklist http",
"sample",
"submission",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"kb body",
"path",
"as396982 google",
"bq mar",
"win32cve mar",
"exploit",
"virtool",
"status",
"name servers",
"emails",
"servers",
"next",
"files",
"as44273 host",
"germany unknown",
"expiration date",
"showing",
"win32upatre mar",
"milehighmedia",
"ids detections",
"possible fake",
"av checkin",
"initial checkin",
"checkin",
"utah data",
"center",
"june",
"data center",
"responsible",
"nsa utah",
"march",
"closeup view",
"july",
"view",
"february",
"prism",
"cascade",
"darpa",
"twitter",
"as20940",
"aaaa",
"as16625 akamai",
"nxdomain",
"whitelisted",
"domain",
"as54113",
"msil",
"cryp",
"files show",
"entries related",
"domains",
"as15169 google",
"gmt cache",
"sameorigin",
"trojandropper",
"asnone united",
"title error",
"porkbun",
"mtb mar",
"trojanspy",
"installer",
"loader",
"hijacker",
"targeting",
"as30456",
"sec ch",
"for privacy",
"ch ua",
"hash avast",
"avg clamav",
"msdefender mar",
"lowfi",
"dns replication",
"ip detections",
"country",
"contacted",
"graph",
"ssdeep",
"file type",
"html internet",
"magic html",
"ascii text",
"trid file",
"file size",
"open threat",
"learn",
"html info",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"manager anchor",
"iana",
"whois lookup",
"ipv4 address",
"ripe ncc",
"afrinic",
"africa",
"apnic",
"asia pacific",
"arin",
"lacnic",
"google",
"amazon ec2",
"email",
"city",
"server",
"amazon data",
"amazon",
"code",
"form",
"po box",
"tech",
"show",
"description ype",
"collections",
"partru",
"execution",
"fake host"
],
"references": [
"Part II -Some users OTX accounts connected to the following | Unexpected revelation |",
"Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/",
"go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...",
"https://www.milehighmedia.com/legal/2257",
"http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://schoolcare.dyndns.org/soap/ISCKeyUpdater",
"http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len",
"http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |",
"hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/",
"http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg",
"CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212",
"Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO",
"https://nsa.gov1.info/utah-data-center",
"https://softwaremill.com/grpc-vs-rest/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Arab Emirates"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort.CW",
"display_name": "TrojanSpy:Win32/Nivdort.CW",
"target": "/malware/TrojanSpy:Win32/Nivdort.CW"
},
{
"id": "AndroidOverlayMalware - MOB-S0012",
"display_name": "AndroidOverlayMalware - MOB-S0012",
"target": null
},
{
"id": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay",
"target": null
},
{
"id": "Crypt3.BWVY",
"display_name": "Crypt3.BWVY",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "BlackNET",
"display_name": "BlackNET",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "VirTool:Win32/Injector.gen!BQ",
"display_name": "VirTool:Win32/Injector.gen!BQ",
"target": "/malware/VirTool:Win32/Injector.gen!BQ"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Dropper.Generic_r.EC",
"display_name": "Dropper.Generic_r.EC",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "ALF:Trojan:Win32/Zbot",
"display_name": "ALF:Trojan:Win32/Zbot",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1605",
"name": "Command-Line Interface",
"display_name": "T1605 - Command-Line Interface"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1583.004",
"name": "Server",
"display_name": "T1583.004 - Server"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
}
],
"industries": [
"Civil Society",
"Telecommunications",
"Technology",
"Financial"
],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6765,
"FileHash-MD5": 688,
"FileHash-SHA1": 422,
"FileHash-SHA256": 3169,
"domain": 2171,
"hostname": 1714,
"email": 11,
"CVE": 2,
"CIDR": 2
},
"indicator_count": 14944,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "743 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65709a0e8c20860fea88779a",
"name": "https://surveyheart.com/form/619fb5dc68ff1721fc915f81",
"description": "",
"modified": "2023-12-06T15:58:06.293000",
"created": "2023-12-06T15:58:06.293000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3624,
"FileHash-SHA256": 1584,
"domain": 871,
"hostname": 1290,
"FileHash-MD5": 20,
"FileHash-SHA1": 20
},
"indicator_count": 7409,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://www.youtube.fr",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://www.youtube.fr",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776643575.426304
}