{
"type": "URL",
"indicator": "https://www.youtube.sa",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://www.youtube.sa",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3756229800,
"indicator": "https://www.youtube.sa",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6694bb9be1b61bf820500004",
"name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet",
"description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.",
"modified": "2024-08-14T05:03:59.815000",
"created": "2024-07-15T06:03:07.423000",
"tags": [
"historical ssl",
"referrer",
"december",
"sneaky server",
"replacement",
"unauthorized",
"high level",
"hackers",
"highly targeted",
"cyber attack",
"emotet",
"critical",
"copy",
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"pragma",
"form",
"hope",
"karma",
"learn",
"suspicious",
"flag",
"pe resource",
"synaptics",
"apeaksoft ios",
"hiddentear",
"urls",
"domains",
"contacted",
"markmonitor",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"youtube bot",
"rar jays",
"mozilla firefox",
"twitch",
"samplename",
"rar youtube",
"zip youtube",
"social bots",
"files",
"file type",
"kb file",
"b file",
"graph",
"get https",
"msie",
"windows nt",
"win64",
"slcc2",
"media center",
"request",
"gmt server",
"referer https",
"amd64 accept",
"accept",
"code",
"rwx memory",
"managed code",
"calls unmanaged",
"native",
"often seen",
"base64 encrypt",
"trojan",
"tsara brashears",
"red team hacking",
"process32nextw",
"regsetvalueexa",
"regdword",
"high",
"medium",
"objects",
"regbinary",
"module load",
"t1129",
"t1060",
"crash",
"dock",
"persistence",
"execution",
"okhfjrtblzo",
"ip check",
"windows",
"http host",
"controlservice",
"domain",
"registry",
"tools",
"service",
"worm",
"malware",
"win32",
"bits",
"read c",
"intel",
"ms windows",
"pe32",
"search",
"type read",
"show",
"wow64",
"stop",
"write",
"unknown",
"waiting",
"push",
"next",
"asnone united",
"aaaa",
"united kingdom",
"as20738 host",
"moved",
"passive dns",
"default",
"delete c",
"pe32 executable",
"document file",
"v2 document",
"floodfix",
"floxif",
"name servers",
"susp",
"showing",
"as55286",
"scan endpoints",
"all scoreblue",
"ransom",
"amadey",
"songculture",
"spreader",
"tracey richter",
"roberts",
"michael roberts",
"jays",
"sabey",
"rexxfield",
"darklivity"
],
"references": [
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Ransom: message.htm.com",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor.Xtreme",
"display_name": "Backdoor.Xtreme",
"target": null
},
{
"id": "W32.AIDetectMalware.CS",
"display_name": "W32.AIDetectMalware.CS",
"target": null
},
{
"id": "Win.Virus.Pioneer-9111434-0",
"display_name": "Win.Virus.Pioneer-9111434-0",
"target": null
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win32:Renos-KY\\ [Trj]",
"display_name": "Win32:Renos-KY\\ [Trj]",
"target": null
},
{
"id": ", Win.Worm.Pykspa-6057105-0",
"display_name": ", Win.Worm.Pykspa-6057105-0",
"target": null
},
{
"id": "Worm:Win32/Pykspa.C",
"display_name": "Worm:Win32/Pykspa.C",
"target": "/malware/Worm:Win32/Pykspa.C"
},
{
"id": "PUP/Hacktool",
"display_name": "PUP/Hacktool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 439,
"FileHash-SHA1": 386,
"FileHash-SHA256": 2320,
"URL": 1873,
"domain": 478,
"hostname": 839,
"SSLCertFingerprint": 9,
"email": 7
},
"indicator_count": 6351,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "614 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6692cf0e2273bb06aa43e43c",
"name": "Banker: Through The Nights - YouTube | Errors |",
"description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.",
"modified": "2024-08-12T18:02:56.458000",
"created": "2024-07-13T19:01:34.484000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"low risk",
"domain",
"no malware",
"found",
"site",
"ip address",
"google network",
"unknown",
"low security",
"risk",
"hacked",
"protect",
"path",
"secure",
"httponly",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"samesitenone",
"http response",
"final url",
"status code",
"body length",
"kb body",
"pragma",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"jess",
"tsara brashears",
"zafira songs",
"youtube og",
"hope",
"html info",
"meta tags",
"data",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"llc cngts",
"validity",
"subject public",
"key info",
"key algorithm",
"name",
"whois lookup",
"create date",
"expiry date",
"query time",
"update date",
"update",
"passive dns",
"gmt content",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"urls",
"files",
"related pulses",
"error",
"code",
"algorithm",
"first"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 3,
"FileHash-SHA256": 343,
"SSLCertFingerprint": 8,
"URL": 333,
"domain": 69,
"hostname": 165
},
"indicator_count": 924,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65caca061fbb7674de86ec7b",
"name": "Invicta Stealer",
"description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
"modified": "2024-03-14T01:01:47.115000",
"created": "2024-02-13T01:46:46.969000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"communicating",
"whois whois",
"subdomains",
"referrer",
"problems",
"core",
"startpage",
"june",
"passive dns",
"urls",
"domain",
"otx telemetry",
"body",
"gmt content",
"x adblock",
"scan endpoints",
"all octoseek",
"hostname",
"date",
"encrypt",
"threat roundup",
"october",
"november",
"march",
"february",
"apple ios",
"april",
"tsara brashears",
"copy",
"hacktool",
"phishing",
"metro",
"crypto",
"installer",
"awful",
"united",
"unknown",
"germany unknown",
"search",
"servers",
"registrar",
"name servers",
"status",
"next",
"moved",
"address",
"creation date",
"showing",
"ipv4",
"pulse submit",
"url analysis",
"accept",
"aaaa",
"record type",
"ttl value",
"html document",
"ascii text",
"anchor hrefs",
"hrefs",
"anchor",
"anchor href",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"url https",
"sample",
"server",
"code",
"registry domain",
"dnssec",
"registrar url",
"registrar whois",
"iana id",
"registrar abuse",
"tech email",
"fake update",
"utilizes new",
"idat loader",
"stealc",
"urls http",
"isadultno",
"adposbottom",
"adformatplain",
"adnetworks",
"quasar rat",
"ip detections",
"country",
"cellbrite",
"execution",
"pegasus",
"malware",
"agent tesla",
"attack",
"ukraine",
"silent",
"invicta stealer",
"redline stealer",
"orcus rat",
"files",
"germany asn",
"as196763",
"a domains",
"redacted for",
"record value",
"for privacy",
"emails",
"name",
"contacted urls",
"bundled",
"de indicators",
"domains",
"hashes",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"pulse pulses",
"location united",
"open",
"cookie",
"customer",
"0 report",
"sea alt",
"certificate",
"#targeting",
"#discordwallets",
"house.mo.gov"
],
"references": [
"https://www.facebooksunglassshop.com/",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"edgedl.me.gvt1.com",
"Link found in https://house.mo.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Invicta Stealer",
"display_name": "Invicta Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Orcus RAT",
"display_name": "Orcus RAT",
"target": null
},
{
"id": "Silent",
"display_name": "Silent",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government",
"Civil Society",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 145,
"FileHash-SHA256": 3848,
"CVE": 3,
"URL": 8291,
"domain": 2541,
"hostname": 3034,
"email": 13
},
"indicator_count": 18028,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "767 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a581b1024ea61979da96",
"name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)",
"description": "",
"modified": "2023-12-06T16:46:57.782000",
"created": "2023-12-06T16:46:57.782000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 3,
"FileHash-SHA256": 5791,
"hostname": 3255,
"domain": 2317,
"FileHash-MD5": 44,
"FileHash-SHA1": 34,
"URL": 11513
},
"indicator_count": 22957,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "650a0b7c9a6b3c5d0a2a3960",
"name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)",
"description": "Link: apple.instagram.com \nQuasar is a lightweight, publicly available open-source Remote Access Trojan (RAT). Used by a variety of attackers. Typically packed to make analysis of the source demanding.\nAccount appears to have been breached, operational in dark web. Dead host.",
"modified": "2023-10-19T14:04:37.381000",
"created": "2023-09-19T20:58:36.137000",
"tags": [
"contacted",
"threat roundup",
"execution",
"ssl certificate",
"dark web",
"crypto threat",
"resolutions",
"referrer",
"stealer",
"quasar",
"asyncrat",
"error",
"social engineering",
"iPhone phishing",
"Apple phishing",
"email phishing",
"emotet",
"remote",
"attacks"
],
"references": [
"Alienvault OTX",
"Data Analysis",
"Online Research",
"WebTools"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"India"
],
"malware_families": [
{
"id": "Backdoor:MSIL/AsyncRAT",
"display_name": "Backdoor:MSIL/AsyncRAT",
"target": "/malware/Backdoor:MSIL/AsyncRAT"
},
{
"id": "Backdoor:MSIL/QuasarRat",
"display_name": "Backdoor:MSIL/QuasarRat",
"target": "/malware/Backdoor:MSIL/QuasarRat"
}
],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
}
],
"industries": [
"Media",
"Social Media",
"Technology",
"Hacking"
],
"TLP": "white",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 44,
"FileHash-SHA1": 34,
"FileHash-SHA256": 5791,
"URL": 11513,
"domain": 2317,
"hostname": 3255,
"CVE": 3
},
"indicator_count": 22957,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "913 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"There is fear in silence or speaking out",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"Can the DoD no questions asked target a SA victim",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"Link found in https://house.mo.com",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"Data Analysis",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Ransom: message.htm.com",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"I am very upset. Whoever is doing this is sick.",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"WebTools",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"iamrobert.com Y.A.S.",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Online Research",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"Target agreed and complied with all lie detector measures.",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Alienvault OTX",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"wallpapers-nature.com",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"capitana.onthewifi.com",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"https://meumundogay-com.sexogratis.page/locker",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"FormBook: http://45.159.189.105/bot/regex",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"edgedl.me.gvt1.com",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"nr-data.net [Apple Private Data Collection]",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://es.pornhat.com/models/the-sex-creator/",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"FormBook: 45.159.189.105",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://www.facebooksunglassshop.com/",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"If someone is believed to be a threat they have right to due process.",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojandownloader:win32/cutwail.bs",
"Win32:trojan",
"Win32:rmndrp [inf]",
"Trojan:win32/speesipro.a",
"Backdoor:msil/quasarrat",
"Win.virus.pioneer-9111434-0",
"Win32:cleaman-k\\ [trj]",
"Trojan:bat/musecador",
"Quasar rat",
"Trojandownloader:win32/upatre.a",
"Trojan:win32/zombie.a",
"Win32:evo",
"Bancos",
"Trojan.crifi.1",
"Apnic",
"Hematite",
"Malware + code overlap",
"Virus.ramnit/nimnul",
"Win32:cryptor",
"Backdoor:msil/asyncrat",
"Slf:trojan:win32/grandoreiro.a",
"Win32:botx-gen\\ [trj]",
"Backdoor:win32/likseput.b",
"Hacktool",
"Worm:win32/pykspa.c",
"Win.downloader.small-1645",
"Trojandownloader:win32/upatre",
"Win.malware.jaik-9968280-0",
"Virus:win32/floxif.h",
"Win32:trojan-gen",
"Backdoor.xtreme",
"Pegasus",
"Win32:dropper",
"Upatre",
"Trojanspy:win32/banker.ly",
"Ymacco",
"W32.aidetectmalware.cs",
"Invicta stealer",
"Redline stealer",
"Silent",
"Wat:blacked-e",
"Virus:win32/sality.at",
"Malwarex",
"Orcus rat",
"Alf:heraklezeval:trojanspy:win32/socstealer",
"Trojan:win32/qbot.r!mtb",
"Pws:win32/qqpass.b!mtb",
"Trojan:win32/scrarev.c",
"Backdoor:win32/plugx.n!dha",
"Pup/hacktool",
"Malware",
"Ai:fileinfector.eaeea7850c",
"Trojandropper:win32/bcryptinject.b!msr",
"Worm:win32/benjamin",
", win.worm.pykspa-6057105-0",
"Win32:malwarex",
"Win32:renos-ky\\ [trj]",
"Trojan:win32/vflooder!rfn",
"Trojan.msil.injurer.cbd",
"Asacky",
"Trojandownloader:win32/nemucod",
"Emotet",
"Trojan:win32/glupteba.km!mtb",
"Virtool:win32/ceeinject.akz!bit",
"Win.virus.polyransom-5704625-0",
"Win32:trojanx-gen\\ [trj]"
],
"industries": [
"Hacking",
"Media",
"Crime victims",
"Government",
"Civil society",
"Technology",
"Social media"
],
"unique_indicators": 92537
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/youtube.sa",
"whois": "http://whois.domaintools.com/youtube.sa",
"domain": "youtube.sa",
"hostname": "www.youtube.sa"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 12,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68eff833ed84ceaf611521d2",
"name": "Tucker Carlson | AutInject \u2022 Zbot \u2022 CoinMiner \u2022 Zombie \u2022 Qbot affects his YouTube Channel (9.14.2025) ",
"description": "",
"modified": "2025-10-15T19:38:27.739000",
"created": "2025-10-15T19:38:27.739000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": "68c73fbd85dfbb4d41006ad1",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "186 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c73fbd85dfbb4d41006ad1",
"name": "Tucker Carlson Sam Altman YouTube Interview \u2022 Qbot | Malware with. Code Overlap",
"description": "Maybe it\u2019s a network issue. The TV I viewed interview from is in Arabic the every time. It\u2019s not\nmy\ntelevision or network, didn\u2019t get link from a logged in YouTube. Not a subscriber.. I viewed using (cc) close captioning. It\u2019s the only program n YouTube using another language for this interview. The only reason I\u2019ve visited this interview several time\u2019s since it\u2019s aired is to check for the same results. Every time only this interview uses another language for (cc).\n\nThere are related pulses by a few different users, experiencing similar personal issues. I\u2019d assume I\u2019d always get these results. Unclear\n\n* At the end of interview Tucker Carlson states YouTube is trying to suppress or delete this one interview.",
"modified": "2025-10-14T22:26:18.109000",
"created": "2025-09-14T22:20:45.617000",
"tags": [
"resolved ips",
"parent pid",
"full path",
"command line",
"cname",
"ip address",
"port",
"involved direct",
"country name",
"nxdomain",
"tcp connections",
"udp connections",
"data",
"datacrashpad",
"edge",
"passive dns",
"origin trial",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"files",
"title",
"date",
"found",
"gmt content",
"hostname",
"verdict",
"error",
"code",
"present aug",
"present sep",
"aaaa",
"search",
"domain",
"present apr",
"present jun",
"address google",
"safe browsing",
"present oct",
"match info",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"match medium",
"icmp traffic",
"port t1571",
"info",
"c0002 wininet",
"flag",
"markmonitor",
"domain address",
"contacted hosts",
"process details",
"size",
"iend ihdridatx",
"qrmf",
"qkdi",
"qiyay",
"kjtn8",
"r0x3",
"ihdridatx",
"yg6qp",
"kkrz",
"t6 ex",
"click",
"windir",
"openurl c",
"prefetch2",
"data upload",
"extraction",
"failed",
"please",
"your browser",
"learn",
"opera mozilla",
"firefox google",
"chrome remind",
"privacy policy",
"safety",
"google llc",
"youtube",
"mozilla firefox",
"safari google",
"edge opera",
"browse youtube",
"file",
"indicator",
"pattern match",
"ascii text",
"ck id",
"ck matrix",
"href",
"general",
"local",
"path",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"t1590 gather",
"victim network",
"files domain",
"files related",
"related tags",
"registrar",
"files ip",
"asn as15169",
"address domain",
"ip whois",
"service address",
"po box",
"city hayes",
"country gb",
"dnssec",
"domain name",
"emails",
"script urls",
"a domains",
"texas flyover",
"script domains",
"script script",
"trojan",
"meta",
"window",
"msie",
"chrome",
"twitter",
"unknown aaaa",
"record value",
"content type",
"united states",
"dynamicloader",
"medium",
"write c",
"high",
"show",
"digicert",
"olet",
"encrypt",
"win64",
"responder",
"write",
"next",
"unknown",
"install",
"dummy",
"entries",
"displayname",
"windows",
"united",
"tofsee",
"copy",
"stream",
"malware",
"hostile",
"body",
"hostile client",
"apollo",
"jaik",
"code overlap",
"sri lanka",
"pintuck sri",
"lanka",
"unknown ns",
"moved",
"buy apparal",
"win32",
"trojandropper",
"virtool",
"susp",
"ipv4",
"pulse pulses",
"urls",
"reverse dns",
"location united",
"installer"
],
"references": [
"https://www.youtube.com/watch?v=5KmpT-BoVf4",
"https://www.youtube.com/supported_browsers?next_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D5KmpT-BoVf4",
"critical-failure-alert8768.70jf59844149.com-1kafl-hs0pt4m8f.trade",
"http://www.whatbrowser.com/intl/en/ \u2022 ghb.console.adtarget.com.tr.88.1.8b13f8ac.roksit.net",
"canary5.nycl.do.ubersmith.com \u2022 debian-test.nyc3.do.ubersmith.com",
"docs-old.ubersmith.com \u2022 edgevana.trial.ubersmith.com",
"ghb.unoadsrv.com.88.1.8b13f8ac.roksit.net",
"malware.sale \u2022 http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf",
"IDS: Win32/Tofsee.AX google.com connectivity check Query to a *.top domain -",
"Likely Hostile Http Client Body contains pwd= in cleartext Cleartext WordPress Login",
"Yara Detections: RansomWin32Apollo \u2022 216.239.32.27"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Malware + Code Overlap",
"display_name": "Malware + Code Overlap",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Trojandownloader:Win32/Upatre",
"display_name": "Trojandownloader:Win32/Upatre",
"target": "/malware/Trojandownloader:Win32/Upatre"
},
{
"id": "Trojan:BAT/Musecador",
"display_name": "Trojan:BAT/Musecador",
"target": "/malware/Trojan:BAT/Musecador"
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "Bancos",
"display_name": "Bancos",
"target": null
},
{
"id": "Hematite",
"display_name": "Hematite",
"target": null
},
{
"id": "Trojanspy:Win32/Banker.LY",
"display_name": "Trojanspy:Win32/Banker.LY",
"target": "/malware/Trojanspy:Win32/Banker.LY"
},
{
"id": "Trojan:Win32/Vflooder!rfn",
"display_name": "Trojan:Win32/Vflooder!rfn",
"target": "/malware/Trojan:Win32/Vflooder!rfn"
},
{
"id": "Win32:MalwareX",
"display_name": "Win32:MalwareX",
"target": null
},
{
"id": "Malwarex",
"display_name": "Malwarex",
"target": null
},
{
"id": "Virtool:Win32/CeeInject.AKZ!bit",
"display_name": "Virtool:Win32/CeeInject.AKZ!bit",
"target": "/malware/Virtool:Win32/CeeInject.AKZ!bit"
},
{
"id": "Win32:Dropper",
"display_name": "Win32:Dropper",
"target": null
},
{
"id": "Ymacco",
"display_name": "Ymacco",
"target": null
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Trojandownloader:Win32/Upatre.A",
"display_name": "Trojandownloader:Win32/Upatre.A",
"target": "/malware/Trojandownloader:Win32/Upatre.A"
},
{
"id": "Win32:Evo",
"display_name": "Win32:Evo",
"target": null
},
{
"id": "Trojandropper:Win32/BcryptInject.B!MSR",
"display_name": "Trojandropper:Win32/BcryptInject.B!MSR",
"target": "/malware/Trojandropper:Win32/BcryptInject.B!MSR"
},
{
"id": "Win32:TrojanX-gen\\ [Trj]",
"display_name": "Win32:TrojanX-gen\\ [Trj]",
"target": null
},
{
"id": "Win32:Cleaman-K\\ [Trj]",
"display_name": "Win32:Cleaman-K\\ [Trj]",
"target": null
},
{
"id": "Asacky",
"display_name": "Asacky",
"target": null
},
{
"id": "Backdoor:Win32/Plugx.N!dha",
"display_name": "Backdoor:Win32/Plugx.N!dha",
"target": "/malware/Backdoor:Win32/Plugx.N!dha"
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4746,
"hostname": 1829,
"domain": 913,
"FileHash-MD5": 249,
"FileHash-SHA1": 213,
"FileHash-SHA256": 1765,
"email": 3,
"SSLCertFingerprint": 17
},
"indicator_count": 9735,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "187 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "613 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6694bb9be1b61bf820500004",
"name": "YouTube Creator Cyber Attacks | Jays Youtube Bot.exe | YT Botnet",
"description": "YouTube Creator account attacks. Critical alerts, botnets, YT bots. I cannot adequately describe attack right now. Retaliation for targets YT channel Song Culture stems from retaliation shortly after a crime against target. Id be interested to learn more. An ITC Intercepter records traffic passed through Song Culture YouTube channel m redirects to other channels. Not reflected in the 1.5 million followers or the 3.2 million views. They just stopped. Then managing director was notified as all of Song Cultures social media Twitter, Instagram, Pinterest succumbed to Emotet attack. Social engineering did occur. Several parties. Alleged eBay , health insurance representatives, an attorney, alleged PI's music managers contacted by phone. A man from Great Britain also began an SE campaign, The strange part is following, confrontations, dangerous attacks, MIB, and other curious in person encounter, critical injuries, financial devastation has caused target to remain isolated.",
"modified": "2024-08-14T05:03:59.815000",
"created": "2024-07-15T06:03:07.423000",
"tags": [
"historical ssl",
"referrer",
"december",
"sneaky server",
"replacement",
"unauthorized",
"high level",
"hackers",
"highly targeted",
"cyber attack",
"emotet",
"critical",
"copy",
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"pragma",
"form",
"hope",
"karma",
"learn",
"suspicious",
"flag",
"pe resource",
"synaptics",
"apeaksoft ios",
"hiddentear",
"urls",
"domains",
"contacted",
"markmonitor",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"youtube bot",
"rar jays",
"mozilla firefox",
"twitch",
"samplename",
"rar youtube",
"zip youtube",
"social bots",
"files",
"file type",
"kb file",
"b file",
"graph",
"get https",
"msie",
"windows nt",
"win64",
"slcc2",
"media center",
"request",
"gmt server",
"referer https",
"amd64 accept",
"accept",
"code",
"rwx memory",
"managed code",
"calls unmanaged",
"native",
"often seen",
"base64 encrypt",
"trojan",
"tsara brashears",
"red team hacking",
"process32nextw",
"regsetvalueexa",
"regdword",
"high",
"medium",
"objects",
"regbinary",
"module load",
"t1129",
"t1060",
"crash",
"dock",
"persistence",
"execution",
"okhfjrtblzo",
"ip check",
"windows",
"http host",
"controlservice",
"domain",
"registry",
"tools",
"service",
"worm",
"malware",
"win32",
"bits",
"read c",
"intel",
"ms windows",
"pe32",
"search",
"type read",
"show",
"wow64",
"stop",
"write",
"unknown",
"waiting",
"push",
"next",
"asnone united",
"aaaa",
"united kingdom",
"as20738 host",
"moved",
"passive dns",
"default",
"delete c",
"pe32 executable",
"document file",
"v2 document",
"floodfix",
"floxif",
"name servers",
"susp",
"showing",
"as55286",
"scan endpoints",
"all scoreblue",
"ransom",
"amadey",
"songculture",
"spreader",
"tracey richter",
"roberts",
"michael roberts",
"jays",
"sabey",
"rexxfield",
"darklivity"
],
"references": [
"https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe",
"https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details",
"Jays Youtube Bot.exe > FileHash-SHA256\t00514527e00ee001d042",
"Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze",
"https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection",
"m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"http://freedns.afraid.org/subdomain/edit.php?data_id=21091713",
"Ransom: message.htm.com",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception",
"Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata",
"Antivirus Detections: Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create",
"Win32:Renos-KY\\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan",
"https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd",
"Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf",
"https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1",
"FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1",
"Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H",
"IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |",
"Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates",
"Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction",
"Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser",
"Alerts: stealth_windowcreates_exe suspicious_process exe_appdata",
"http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty]",
"https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg",
"https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT]",
"Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297",
"http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City\tGranite Bay Country US ?)",
"https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Backdoor.Xtreme",
"display_name": "Backdoor.Xtreme",
"target": null
},
{
"id": "W32.AIDetectMalware.CS",
"display_name": "W32.AIDetectMalware.CS",
"target": null
},
{
"id": "Win.Virus.Pioneer-9111434-0",
"display_name": "Win.Virus.Pioneer-9111434-0",
"target": null
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Win32:Renos-KY\\ [Trj]",
"display_name": "Win32:Renos-KY\\ [Trj]",
"target": null
},
{
"id": ", Win.Worm.Pykspa-6057105-0",
"display_name": ", Win.Worm.Pykspa-6057105-0",
"target": null
},
{
"id": "Worm:Win32/Pykspa.C",
"display_name": "Worm:Win32/Pykspa.C",
"target": "/malware/Worm:Win32/Pykspa.C"
},
{
"id": "PUP/Hacktool",
"display_name": "PUP/Hacktool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584.005",
"name": "Botnet",
"display_name": "T1584.005 - Botnet"
},
{
"id": "T1133",
"name": "External Remote Services",
"display_name": "T1133 - External Remote Services"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 439,
"FileHash-SHA1": 386,
"FileHash-SHA256": 2320,
"URL": 1873,
"domain": 478,
"hostname": 839,
"SSLCertFingerprint": 9,
"email": 7
},
"indicator_count": 6351,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "614 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6692cf0e2273bb06aa43e43c",
"name": "Banker: Through The Nights - YouTube | Errors |",
"description": "YouTube creator issue. Hijacked channel. Won't open in VT, 303 error, ransomware files. Ransomware confirmed, limited access/research for today's pulse.",
"modified": "2024-08-12T18:02:56.458000",
"created": "2024-07-13T19:01:34.484000",
"tags": [
"united",
"command decode",
"suricata ipv4",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"sha1",
"name server",
"date",
"hybrid",
"general",
"click",
"strings",
"contact",
"low risk",
"domain",
"no malware",
"found",
"site",
"ip address",
"google network",
"unknown",
"low security",
"risk",
"hacked",
"protect",
"path",
"secure",
"httponly",
"secchuabitness",
"secchuamodel",
"secchuawow64",
"secchuaplatform",
"samesitenone",
"http response",
"final url",
"status code",
"body length",
"kb body",
"pragma",
"song culture",
"tsara lynn",
"culture",
"chime sa",
"mediawarning",
"youtube twitter",
"jess",
"tsara brashears",
"zafira songs",
"youtube og",
"hope",
"html info",
"meta tags",
"data",
"v3 serial",
"number",
"cus ogoogle",
"trust",
"llc cngts",
"validity",
"subject public",
"key info",
"key algorithm",
"name",
"whois lookup",
"create date",
"expiry date",
"query time",
"update date",
"update",
"passive dns",
"gmt content",
"scan endpoints",
"all scoreblue",
"hostname",
"pulse pulses",
"urls",
"files",
"related pulses",
"error",
"code",
"algorithm",
"first"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 3,
"FileHash-SHA256": 343,
"SSLCertFingerprint": 8,
"URL": 333,
"domain": 69,
"hostname": 165
},
"indicator_count": 924,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "615 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e863bebbf95e0dc5a4169a",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected",
"description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-06T12:38:22.052000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65ea6410c1e1b1185951ef98",
"name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)",
"description": "",
"modified": "2024-04-05T12:00:46.637000",
"created": "2024-03-08T01:04:16.906000",
"tags": [
"referrer",
"tsara brashears",
"password bypass",
"apple phone",
"unlocker",
"shell code",
"script",
"pe resource",
"execution",
"sneaky server",
"emotet",
"android",
"download",
"malware",
"relic",
"monitoring",
"installer",
"formbook",
"urls",
"contacted",
"win32 exe",
"parents",
"type name",
"msrsaapp",
"files",
"file type",
"kb file",
"b file",
"graph",
"pe32 executable",
"ms windows",
"intel",
"generic cil",
"executable",
"mono",
"win32 dynamic",
"link library",
"win16 ne",
"samplename",
"samplepath",
"jays youtube",
"rticon neutral",
"details",
"header intel",
"name md5",
"type",
"language",
"contained",
"ico rtgroupicon",
"neutral",
"net technology",
"corporation",
"domains",
"markmonitor inc",
"malicious",
"cnc",
"network",
"bypass password",
"network probe",
"dns query",
"as20940",
"united",
"aaaa",
"search",
"showing",
"date",
"passive dns",
"registrar",
"unknown",
"encrypt",
"next",
"domain",
"emails",
"name servers",
"as199524",
"record value",
"rst seen",
"last seen",
"asn country",
"cname",
"as15169 google",
"scan endpoints",
"all octoseek",
"pulse pulses",
"files ip",
"as4788",
"address",
"pulses",
"win32",
"entries",
"dadjoke",
"ms defender",
"united kingdom",
"germany unknown",
"as46606",
"as14061",
"servers",
"as12576 ee",
"russia unknown",
"as3320 deutsche",
"gamaredon",
"armageddon",
"as8068",
"script urls",
"for privacy",
"script domains",
"certificate",
"meta",
"creation date",
"as14627",
"ipv4",
"onthewifi",
"as54113",
"trojan",
"flywheel",
"sea x",
"accept",
"ransom",
"post http",
"langserbian",
"sublangdefault",
"rticon",
"process32nextw",
"medium",
"t1055",
"high",
"ip address",
"generic",
"body",
"markus",
"june",
"copy",
"bitcoin"
],
"references": [
"FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb",
"FormBook: 45.159.189.105",
"FormBook: http://45.159.189.105/bot/regex",
"Emotet: www.youtube.com/watch?v=GyuMozsVyYs",
"Relic: bam.nr-data.net [Apple Private Data Collection]",
"capitana.onthewifi.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Germany"
],
"malware_families": [
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Win32:Cryptor",
"display_name": "Win32:Cryptor",
"target": null
},
{
"id": "Win.Virus.PolyRansom-5704625-0",
"display_name": "Win.Virus.PolyRansom-5704625-0",
"target": null
},
{
"id": "SLF:Trojan:Win32/Grandoreiro.A",
"display_name": "SLF:Trojan:Win32/Grandoreiro.A",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.KM!MTB",
"display_name": "Trojan:Win32/Glupteba.KM!MTB",
"target": "/malware/Trojan:Win32/Glupteba.KM!MTB"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1188",
"name": "Multi-hop Proxy",
"display_name": "T1188 - Multi-hop Proxy"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65e863bebbf95e0dc5a4169a",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 309,
"FileHash-SHA1": 307,
"FileHash-SHA256": 3084,
"URL": 3066,
"domain": 1085,
"hostname": 1709,
"CVE": 1,
"email": 7
},
"indicator_count": 9568,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "744 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65caca061fbb7674de86ec7b",
"name": "Invicta Stealer",
"description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
"modified": "2024-03-14T01:01:47.115000",
"created": "2024-02-13T01:46:46.969000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"communicating",
"whois whois",
"subdomains",
"referrer",
"problems",
"core",
"startpage",
"june",
"passive dns",
"urls",
"domain",
"otx telemetry",
"body",
"gmt content",
"x adblock",
"scan endpoints",
"all octoseek",
"hostname",
"date",
"encrypt",
"threat roundup",
"october",
"november",
"march",
"february",
"apple ios",
"april",
"tsara brashears",
"copy",
"hacktool",
"phishing",
"metro",
"crypto",
"installer",
"awful",
"united",
"unknown",
"germany unknown",
"search",
"servers",
"registrar",
"name servers",
"status",
"next",
"moved",
"address",
"creation date",
"showing",
"ipv4",
"pulse submit",
"url analysis",
"accept",
"aaaa",
"record type",
"ttl value",
"html document",
"ascii text",
"anchor hrefs",
"hrefs",
"anchor",
"anchor href",
"threat",
"paste",
"iocs",
"analyze",
"hostnames",
"url https",
"sample",
"server",
"code",
"registry domain",
"dnssec",
"registrar url",
"registrar whois",
"iana id",
"registrar abuse",
"tech email",
"fake update",
"utilizes new",
"idat loader",
"stealc",
"urls http",
"isadultno",
"adposbottom",
"adformatplain",
"adnetworks",
"quasar rat",
"ip detections",
"country",
"cellbrite",
"execution",
"pegasus",
"malware",
"agent tesla",
"attack",
"ukraine",
"silent",
"invicta stealer",
"redline stealer",
"orcus rat",
"files",
"germany asn",
"as196763",
"a domains",
"redacted for",
"record value",
"for privacy",
"emails",
"name",
"contacted urls",
"bundled",
"de indicators",
"domains",
"hashes",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"pulse pulses",
"location united",
"open",
"cookie",
"customer",
"0 report",
"sea alt",
"certificate",
"#targeting",
"#discordwallets",
"house.mo.gov"
],
"references": [
"https://www.facebooksunglassshop.com/",
"CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
"https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
"Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
"apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
"http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
"https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
"all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
"http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
"Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
"Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
"https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
"edgedl.me.gvt1.com",
"Link found in https://house.mo.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Invicta Stealer",
"display_name": "Invicta Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "Orcus RAT",
"display_name": "Orcus RAT",
"target": null
},
{
"id": "Silent",
"display_name": "Silent",
"target": null
}
],
"attack_ids": [],
"industries": [
"Government",
"Civil Society",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 65,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 153,
"FileHash-SHA1": 145,
"FileHash-SHA256": 3848,
"CVE": 3,
"URL": 8291,
"domain": 2541,
"hostname": 3034,
"email": 13
},
"indicator_count": 18028,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "767 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://www.youtube.sa",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://www.youtube.sa",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776670342.2735367
}