{ "type": "URL", "indicator": "https://www.youtube.pr", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.youtube.pr", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3841488791, "indicator": "https://www.youtube.pr", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "Login privileges", "172.31.13.249", "Unsupported/Fake Windows NT Version 5.0", "gstatic.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "MyChart Phishing Scams" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Pws:msil/dcstl.gd!mtb", "Win64-trojan/pakes.exp", "Trojan:win32/antavmu.d", "Worm:win32/mofksys.rnd!mtb", "Win64:ransomx-gen", "Win32:malwarex-gen\\ [trj]", "Trojan:win32/dorv.b!rfn", "Formbook", "Trojan:win32/qqpass", "#lowfi:hstr:msil/possibledownloader.s01", "Trojan:win32/zombie.a" ], "industries": [ "Healthcare", "Technology" ], "unique_indicators": 19826 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/youtube.pr", "whois": "http://whois.domaintools.com/youtube.pr", "domain": "youtube.pr", "hostname": "www.youtube.pr" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66994bda3e150656cd5ac9dd", "name": "Browser Session Hijacking Various MyChart Phishing Scams", "description": "Ongoing issues with medical information hijacking. Various medical corporations affected. Tracking, medical, injection process, records retrieval, botnets.", "modified": "2024-08-17T16:01:11.866000", "created": "2024-07-18T17:07:38.719000", "tags": [ "historical ssl", "referrer", "domains", "august", "phishingscams", "domains part", "domain tracker", "roundup", "new problems", "privacy badger", "startpage", "self", "httponly", "samesitenone", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "pragma", "mychartlocale", "urls", "ip detections", "country", "contacted", "files", "file type", "name file", "gmbh", "cloudflare", "tucows", "ii llc", "alibaba cloud", "computing", "sample", "media t1091", "t1497 may", "mitre att", "access ta0001", "replication", "ta0004 process", "injection t1055", "defense evasion", "http requests", "get http", "request", "host", "dns resolutions", "ip traffic", "hashes", "tsara brashears", "red team", "hackers", "highly targeted", "critical risk", "cyberstalking", "apple", "apple ios", "logistics", "cyber defense", "guloader", "hacktool", "emotet", "phishing", "facebook", "malware", "hiddentear", "maze", "server", "domain status", "date", "algorithm", "google llc", "registrar abuse", "registrar", "record type", "ttl value", "aaaa", "whois lookup", "admin country", "ca creation", "dnssec", "markmonitor", "siblings", "whois lookups", "expiration date", "registrar iana", "creation date", "first", "united", "as15169 google", "cname", "status", "virtool", "cryp", "as396982 google", "search", "name servers", "win32", "remote" ], "references": [ "MyChart Phishing Scams", "exploit_source IP's: 20.99.186.246 , 40.126.24.147 , 40.126.24.149 , 40.126.24.81 , 40.126.24.82", "VirTool:Win32/Obfuscator: 0.googleusercontent.com [hacking]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttp://45.159.189.105/bot/regex |\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64-Trojan/Pakes.Exp", "display_name": "Win64-Trojan/Pakes.Exp", "target": null }, { "id": "Win64:RansomX-gen", "display_name": "Win64:RansomX-gen", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 3473, "domain": 693, "URL": 4384, "hostname": 1610, "CVE": 2, "email": 3 }, "indicator_count": 10235, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e576d419524d75af35a36e", "name": "FormBook", "description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:23:00.177000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e57f32581a900dfb272d05", "name": "FormBook | 172.31.13.249", "description": "", "modified": "2024-04-03T05:03:03.527000", "created": "2024-03-04T07:58:42.074000", "tags": [ "resolutions", "referrer", "siblings", "asn owner", "historical ssl", "contacted", "high level", "hackers", "formbook", "name verdict", "falcon sandbox", "report", "united", "registrar", "creation date", "search", "emails", "name", "name servers", "showing", "unknown", "scan endpoints", "date", "next", "root ca", "pattern match", "authority", "beginstring", "class", "mitre att", "global root", "ck id", "show technique", "ck matrix", "null", "accept", "refresh", "span", "error", "tools", "body", "look", "verify", "restart", "hybrid", "local", "click", "strings", "files files", "ssl certificate", "tsara brashears", "highly targeted", "ransomware", "dark power", "play ransomware", "malware", "core", "installer", "awful", "snatch", "metro", "service", "critical", "copy", "execution", "location united", "asn as15169", "less whois", "as15169 google", "status", "entries", "record value", "servers", "trojan", "win32", "aaaa", "worm", "passive dns", "gmt cache", "sameorigin", "all scoreblue", "ipv4", "lowfi", "domain related", "urls", "domain", "nxdomain", "hostname", "users", "yara detections", "alerts", "high", "filehash", "pulse pulses", "av detections", "ids detections", "musicmaid", "reader", "office standard", "high process", "injection t1055", "t1055", "x00x00", "icmp traffic", "injection", "hijacker", "password", "stealer", "corruption", "targeting", "172.31.13.249" ], "references": [ "gstatic.com", "Unsupported/Fake Windows NT Version 5.0", "Login privileges", "172.31.13.249" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Dorv.B!rfn", "display_name": "Trojan:Win32/Dorv.B!rfn", "target": "/malware/Trojan:Win32/Dorv.B!rfn" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Antavmu.D", "display_name": "Trojan:Win32/Antavmu.D", "target": "/malware/Trojan:Win32/Antavmu.D" }, { "id": "PWS:MSIL/Dcstl.GD!MTB", "display_name": "PWS:MSIL/Dcstl.GD!MTB", "target": "/malware/PWS:MSIL/Dcstl.GD!MTB" }, { "id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01", "target": null }, { "id": "Win32:MalwareX-gen\\ [Trj]", "display_name": "Win32:MalwareX-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" } ], "industries": [], "TLP": "white", "cloned_from": "65e576d419524d75af35a36e", "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3117, "FileHash-MD5": 280, "FileHash-SHA1": 286, "FileHash-SHA256": 3773, "domain": 1264, "hostname": 1595, "email": 6, "CVE": 5 }, "indicator_count": 10326, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "747 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.youtube.pr", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.youtube.pr", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776661436.010568 }