{ "type": "URL", "indicator": "https://www1.timeout.nbahoopstroops.org.nbahoopstroops.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www1.timeout.nbahoopstroops.org.nbahoopstroops.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3810439119, "indicator": "https://www1.timeout.nbahoopstroops.org.nbahoopstroops.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "https://www.apple.com/qtactivex/qtplugin.cab", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "gameskinny.com", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "Crowdsourced YARA Rulesets", "http://www.screensaver.com/ruxitbeacon", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "20.190.160.67 Microsoft [exploit_source]", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "http://www.sos.state.co/ [interesting]", "uat.identityssl.newscdn.com.au", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "https://www.jbits.courts.state.co [interesting]", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "watson.events.data.microsoft.com [traffic manager]", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "http://dns1.whitelist.camect.com [interesting]", "www.anyxxxtube.net [tracking]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "https://www.malwarebytes.com/blog/detections/trojan-floxif" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Tulach", "Lolkek", "Trojanspy:win32/swisyn", "Tel:trojandownloader:o97m/msiexecabuse", "Ransomware", "Etpro trojan", "Backdoor:win32/simda", "Win.trojan.zbot-9880005-0", "Quasar rat", "Hacktool", "Worm:win32/mofksys.b", "#lowfi:scpt:kiraasciiobfuscator", "Lazarus", "Hallrender", "Brashears", "Malware", "Apple", "Emotet", "Worm:win32/mofksys.rnd!mtb", "'win32:trojan-gen", "Makop ransomware", "Little", "Crypt3.blxp", "Trojan:msil/clipbanker.gb!mtb", "Trojan:win32/comspec", "Sabey", "Artro", "Trojanspy", "Pws:win32/vb.cu", "Worm:logo/logic", "Cobalt strike", "Dark power", "Win.packed.zusy-7170176-0", "Virus:win32/floxif.h" ], "industries": [ "Telecommunications" ], "unique_indicators": 36571 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/nbahoopstroops.org", "whois": "http://whois.domaintools.com/nbahoopstroops.org", "domain": "nbahoopstroops.org", "hostname": "www1.timeout.nbahoopstroops.org.nbahoopstroops.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "807 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www1.timeout.nbahoopstroops.org.nbahoopstroops.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www1.timeout.nbahoopstroops.org.nbahoopstroops.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642627.1840591 }