{ "type": "URL", "indicator": "https://x2.heqet.xyz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://x2.heqet.xyz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3810438165, "indicator": "https://x2.heqet.xyz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "AS : AS16509 Amazon.com, Inc", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "YARA Rules", "https://www.apple.com/qtactivex/qtplugin.cab", "185.199.108.133", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "x.ss2.us", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "watson.telemetry.microsoft.us [Data traffic manager]", "nr-data.net [Apple Private Data Collection]", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "20.190.160.67 Microsoft [exploit_source]", "cdn-185-199-108-133.github.com", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "Crowdsourced YARA Rulesets", "20.190.160.2 Microsoft [exploit_source]", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "https://www.jbits.courts.state.co [interesting]", "20.190.160.73 Microsoft [exploit_source]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "REFERENCE: https://goo.gl/hXbwiV", "www.anyxxxtube.net [tracking]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "103.246.145.111 [malware]", "IP : 54.192.29.164", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "www.anyxxxtube.net", "http://www.sos.state.co/ [interesting]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "frostwire-5.3.9.windows.exe", "watson.events.data.microsoft.com [traffic manager]", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule UPX from ruleset UPX by kevoreilly", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://dns1.whitelist.camect.com [interesting]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "!#hstr:win32/spectorsoft", "Generic", "Virtool", "Apple", "Worm:win32/autorun!atmn", "Hacktool", "Babulya/collectorstealer user-agent", "Win32/ispen badnews fake user-agent", "Alf:base64encodefunctionmonitorw", "Malvertizing", "Magic", "Emotet", "Alf:hstr:hacktool:extremeinjector.s01", "Adware.opencandy", "Multios.coinminer.miner-6781728-2", "Win.malware.generic-9820446-0", "Win.trojan.emotet-9850453-0", "Virtool:msil/obfuscator.bv", "Alf:heraklezeval:trojan:win32/agenttesla!rfn", "Tulach", "185.199.108.133.malware_host", "Malware" ], "industries": [], "unique_indicators": 16210 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/heqet.xyz", "whois": "http://whois.domaintools.com/heqet.xyz", "domain": "heqet.xyz", "hostname": "x2.heqet.xyz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6585b183175afafb5e3bfff5", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:47.977000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6585b18d61efd8798827c12a", "name": "Potential Poodle Attack against a server | Injection | Threat Network", "description": "", "modified": "2024-01-21T15:01:52.390000", "created": "2023-12-22T15:55:57.639000", "tags": [ "whois record", "ssl certificate", "threat roundup", "december", "whois whois", "historical ssl", "referrer", "problems", "november", "tsara brashears", "startpage", "core", "hacktool", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "sample summary", "as54113", "united", "xamzexpires300", "unknown", "a domains", "passive dns", "entries", "github pages", "request id", "sea x", "virtool", "accept", "cache", "hit x", "date hash", "avast avg", "files show", "execution", "contacted", "threat analyzer", "threat", "paste", "hostnames", "urls http", "noname057", "generic malware", "threat report", "ip summary", "url summary", "summary", "generic", "inject", "!#AddsCopyToStartup", "SLF:Exploit:Win32/UACPathBypass.A", "SSL excessive fatal alerts (possible POODLE attack against serve", "injector", "185.199.108.133", "malware infection", "link", "name servers", "date", "title", "urls", "domain robot", "for privacy", "redacted for", "expiration date", "emotet", "upx", "msil", "trojan", "malware", "apple", "data collection", "privilege escalation", "evasive", "show", "scan endpoints", "all octoseek", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "copy", "threat network", "service modification", "target", "targeting an individual", "cybercrime", "fraud services", "attack", "africa", "libel", "password cracker", "ios" ], "references": [ "frostwire-5.3.9.windows.exe", "185.199.108.133", "cdn-185-199-108-133.github.com", "AS : AS16509 Amazon.com, Inc", "SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe", "IP : 54.192.29.164", "https://otx.alienvault.com/indicator/ip/185.199.108.133", "Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133", "YARA Rules", "Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "Matches rule UPX from ruleset UPX by kevoreilly", "REFERENCE: https://goo.gl/hXbwiV", "RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command", "More information: https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]", "https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]", "www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]", "www.anyxxxtube.net", "https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]", "phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]", "louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]", "103.246.145.111 [malware]", "x.ss2.us", "nr-data.net [Apple Private Data Collection]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Magic", "display_name": "Magic", "target": null }, { "id": "Multios.Coinminer.Miner-6781728-2", "display_name": "Multios.Coinminer.Miner-6781728-2", "target": null }, { "id": "Win32/Ispen BADNEWS Fake User-Agent", "display_name": "Win32/Ispen BADNEWS Fake User-Agent", "target": null }, { "id": "Babulya/CollectorStealer User-Agent", "display_name": "Babulya/CollectorStealer User-Agent", "target": null }, { "id": "Win.Malware.Generic-9820446-0", "display_name": "Win.Malware.Generic-9820446-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "VirTool:MSIL/Obfuscator.BV", "display_name": "VirTool:MSIL/Obfuscator.BV", "target": "/malware/VirTool:MSIL/Obfuscator.BV" }, { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "ALF:HSTR:HackTool:ExtremeInjector.S01", "display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn", "target": null }, { "id": "!#HSTR:Win32/Spectorsoft", "display_name": "!#HSTR:Win32/Spectorsoft", "target": "/malware/!#HSTR:Win32/Spectorsoft" }, { "id": "ALF:Base64EncodeFunctionMonitorW", "display_name": "ALF:Base64EncodeFunctionMonitorW", "target": null }, { "id": "185.199.108.133.Malware_Host", "display_name": "185.199.108.133.Malware_Host", "target": null }, { "id": "adware.opencandy", "display_name": "adware.opencandy", "target": null }, { "id": "Malvertizing", "display_name": "Malvertizing", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1872, "FileHash-SHA1": 1140, "FileHash-SHA256": 2367, "URL": 1969, "domain": 327, "hostname": 1025, "email": 1 }, "indicator_count": 8701, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "861 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://x2.heqet.xyz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://x2.heqet.xyz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780312191.7409387 }