{ "type": "URL", "indicator": "https://zzciai.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://zzciai.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3837578503, "indicator": "https://zzciai.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fc4d4c24f2000879921be5", "name": "The Org : FormBook CnC | Pykspa", "description": "Front Facing Description: 'TheOrg' (https://theorg.com) The Org\nThe Org is an online professional community platform. It helps organizations get more exposure externally and operate more efficiently internally. | efficiently internally | Nefarious scheme? Unclear. Possible visa, immigration scheme. | Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to. download other malware or extract personal data. || Dark. | Score 100% Falcon Sandbox | Evasive. Moved permanently 03/21/2024 | FormBook is an infostealer of browser cached credentials , screenshots, keystrokes. | Tags auto populated", "modified": "2024-04-20T14:04:02.366000", "created": "2024-03-21T15:07:56.415000", "tags": [ "q https", "https", "enablement", "org log", "sign", "contact", "right person", "explore", "start", "grafana labs", "ogilvy", "figma", "find", "apollo", "http", "span", "learn", "html", "expiry", "form", "label", "youtube video", "linkedin", "input", "pixel", "legend", "cookie", "march", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "protocol h2", "security tls", "united", "resource", "asn16509", "amazon02", "name value", "main", "ssl certificate", "whois record", "whois whois", "resolutions", "threat roundup", "communicating", "referrer", "subdomains", "historical ssl", "collections", "june", "february", "blister", "cobalt strike", "phishing", "formbook", "contacted", "ip check", "adult content", "divergent", "hacktool", "copy", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers age", "cachecontrol", "connection", "tsara brashears", "malicious", "life", "core", "dns replication", "date", "win32 exe", "files", "detections type", "name", "wininit", "office open", "xml document", "qiwi hack", "android", "mgeinteg", "html info", "title", "org meta", "tags viewport", "org twitter", "org og", "the org", "utc google", "tag manager", "g5nxq655fgp", "domain", "search", "status", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "passive dns", "urls", "bhagam bhag", "home screen", "entries", "createdate", "title bhagam", "select xmp", "filehash", "malware", "format", "unknown", "meta", "as44273 host", "creation date", "moved", "encrypt", "district", "body", "window", "hall law", "a domains", "script urls", "datalayer", "registrar", "next", "accept encoding", "showing", "yara rule", "http host", "worm", "high", "possible", "win32", "bits", "cname", "as396982 google", "redacted for", "expiration date", "div div", "as26710 icann", "script domains", "citadel", "indonesia", "get updates", "write c", "create c", "read c", "show", "default", "common upatre", "upatre", "downloader", "zeus", "write", "execution", "regsetvalueexa", "regdword", "module load", "dock", "persistence", "as54113", "github pages", "formbook cnc", "checkin", "lowfi", "class", "trojan", "accept", "visa scheme", "mtb feb", "mtb jan", "romeo scheme", "exploitation", "pattern match", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "suricata udpv4", "facebook", "hybrid", "general", "model", "comspec", "click", "strings", "footer", "michelle", "nora", "hallrender", "name servers", "record value", "emails", "servers", "found", "gmt content", "error", "code", "men", "man", "woman", "hit", "sreredrum", "honey client", "hiv", "threat", "paste", "iocs", "urls https", "malicious site", "phishing site", "blockchain", "unsafe", "malware site", "malicious url", "phishtank", "cyber threat", "artemis", "asyncrat", "team", "cisco umbrella", "site", "safe site", "heur", "million", "xrat", "downldr", "union", "bank", "gvt google video transcoding", "malvertizing", "targeting", "target", "yandex dropper extend", "remote procedure call", "identity_helper.exe", "cookie bot" ], "references": [ "https://theorg.com", "Ransom: CVE-2023-4966", "Ransom: ransomed.vc", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "Yara Detections invalid_trailer_structure , multiple_versions", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "Scanning host: 31.214.178.54 , 37.152.88.54", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "development.digitalphotogallery.com _YandexDropperExtend", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": "Win.Worm.Pykspa-1", "display_name": "Win.Worm.Pykspa-1", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "ApolloLocker", "display_name": "ApolloLocker", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Media", "Immigration", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4567, "domain": 2576, "hostname": 1212, "FileHash-SHA256": 3836, "FileHash-MD5": 744, "FileHash-SHA1": 724, "CVE": 5, "email": 9, "SSLCertFingerprint": 1 }, "indicator_count": 13674, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "729 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "738 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab5eb4d0a233bf6f32edb", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:20:59.154000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab601f0d674294b603758", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:21.869000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab60667f8205c19d6b67b", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:26.244000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65cab616bb5869335d184ae7", "name": "Malware Infection | Pseudonym 'Kevin Harden' Malvertizing RedTube Subsidiary", "description": "", "modified": "2024-03-11T02:01:13.710000", "created": "2024-02-13T00:21:42.183000", "tags": [ "trojan", "show", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "april", "win32", "copy", "push", "malware infection", "threat roundup", "whois record", "contacted", "october", "execution", "january", "attack", "suspicious", "hacktool", "emotet", "injection", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "http", "resource path", "size", "type mimetype", "primary request", "servicelogin", "kb document", "general full", "url https" ], "references": [ "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Trojan:Win32/CryptInject.SD!MTB", "display_name": "Trojan:Win32/CryptInject.SD!MTB", "target": "/malware/Trojan:Win32/CryptInject.SD!MTB" }, { "id": "Win.Malware.Fileinfector-9834127-0", "display_name": "Win.Malware.Fileinfector-9834127-0", "target": null }, { "id": "Emotet b", "display_name": "Emotet b", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 276, "FileHash-SHA1": 274, "FileHash-SHA256": 3301, "URL": 2268, "hostname": 744, "CVE": 2, "domain": 340 }, "indicator_count": 7205, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "769 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "api.login.live.com", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashears", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://gujarati.ent24x7.comb [RAT]", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "FormBook: http://45.159.189.105/bot/regex", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://pornhub.com/gay/video/search", "FormBook: 45.159.189.105", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "162.159.208.8", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "capitana.onthewifi.com", "Ransom: ransomed.vc", "http://appleid.icloud.com-website33.org/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "https://alohatube.xyz/search/tsara-brashears", "http://neurosky.jp", "https://gr.pinterest.com/emreimer/", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Scanning host: 31.214.178.54 , 37.152.88.54", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "development.digitalphotogallery.com _YandexDropperExtend", "Relic: bam.nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "godaddy.com \u2022 prod.phx3.secureserver.net", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "message.htm.com", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "CS Sigma Rules: Python Initiated Connection by frack113", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "webdisk.thehomemakers.nl", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "honey.exe", "https://www.pornhub.com/video/search?search=tsara+brashears", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "Yara Detections: GlassesCode", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "Amadey: IP 104.26.5.15", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "How about stop harming people", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "Yara Detections invalid_trailer_structure , multiple_versions", "https://theorg.com", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "www.pornhub.com", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "Ransom: CVE-2023-4966", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://tulach.cc/socrative/internal.js", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "https://www.redtube.com/ServiceLogin?hl=de&passive=true&continue=https://www.redtube.ccom/%3Fdata%3Dkevinharden1978%2540gmail.com%252Fkevinharden1978%2B.search", "http://45.159.189.105/bot/regex", "Attempted to send viewer to own server.", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "http://alohatube.xyz/search/tsara-brashears/", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "http://alohatube.xyz/search/tsara-brashears", "message.htm.com [Ransom | Malware Spreader]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ddos:linux/mirai", "Alf:trojandownloader:win32/vadokrist.a", "Win32/cmsbrute/pifagor", "Trojan:win32/cryptinject.sd!mtb", "Nebuler/dialer.qn", "Trojan:vbs/metasploitvbscmdstager", "Win32:crypterx-gen\\ [trj]", "Worm.bagle-44", "Win.trojan.knigsfot-125", "Alf:heraklezeval:trojan:win32/neurevt", "Trojan:win32/glupteba.km!mtb", "Et", "Hacktool", "Win.trojan.generic-6333842-0", "Trojan:win32/tinba!rfn", "Slf:trojan:win32/grandoreiro.a", "Win32:botx-gen\\ [trj]", "Elf:ddos-y\\ [trj]", "Relic", "Win32:emotet-ai\\ [trj]", "Win.virus.polyransom-5704625-0", "Trojanspy:win32/nivdort.de", "Win32:trojan-gen", "Win.worm.pykspa-1", "Win.trojan.generic-9957168-0", "Trojan.win32.snovir.kfmibf", "Ransom", "Formbook", "Tofsee", "Other:malware-gen\\ [trj]", "Win.adware.relevantknowledge-9821121-0", "Win.trojan.6977536-1", "Worm:win32/pykspa.c", "Win32:vitro", "Virus.win32.virut.q", "Trojanspy", "Win.trojan.generic-9897526-0", "Amadey", "Emotet", "Generic", "Artro", "Win32/dh{gvijaw?}", "#lowfienabledtcontinueafterunpacking", "Win32.renos/artro", "Apollolocker", "Win32:cryptor", "Virtool", "Cobalt strike", "I-worm/bagle.qe", "W32.sality.pe", "Nsis", "Win32:renos-ky\\ [trj]", "Win.malware.fileinfector-9834127-0", "Emotet b", "Trojandropper:win32" ], "industries": [ "Technology", "Media", "Telecommunications", "Immigration", "Government", "Civil society" ], "unique_indicators": 95106 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/zzciai.com", "whois": "http://whois.domaintools.com/zzciai.com", "domain": "zzciai.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fc4d4c24f2000879921be5", "name": "The Org : FormBook CnC | Pykspa", "description": "Front Facing Description: 'TheOrg' (https://theorg.com) The Org\nThe Org is an online professional community platform. It helps organizations get more exposure externally and operate more efficiently internally. | efficiently internally | Nefarious scheme? Unclear. Possible visa, immigration scheme. | Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to. download other malware or extract personal data. || Dark. | Score 100% Falcon Sandbox | Evasive. Moved permanently 03/21/2024 | FormBook is an infostealer of browser cached credentials , screenshots, keystrokes. | Tags auto populated", "modified": "2024-04-20T14:04:02.366000", "created": "2024-03-21T15:07:56.415000", "tags": [ "q https", "https", "enablement", "org log", "sign", "contact", "right person", "explore", "start", "grafana labs", "ogilvy", "figma", "find", "apollo", "http", "span", "learn", "html", "expiry", "form", "label", "youtube video", "linkedin", "input", "pixel", "legend", "cookie", "march", "de indicators", "domains", "hashes", "gmbh version", "status page", "service privacy", "legal", "impressum", "reverse dns", "general full", "url https", "protocol h2", "security tls", "united", "resource", "asn16509", "amazon02", "name value", "main", "ssl certificate", "whois record", "whois whois", "resolutions", "threat roundup", "communicating", "referrer", "subdomains", "historical ssl", "collections", "june", "february", "blister", "cobalt strike", "phishing", "formbook", "contacted", "ip check", "adult content", "divergent", "hacktool", "copy", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers age", "cachecontrol", "connection", "tsara brashears", "malicious", "life", "core", "dns replication", "date", "win32 exe", "files", "detections type", "name", "wininit", "office open", "xml document", "qiwi hack", "android", "mgeinteg", "html info", "title", "org meta", "tags viewport", "org twitter", "org og", "the org", "utc google", "tag manager", "g5nxq655fgp", "domain", "search", "status", "scan endpoints", "all scoreblue", "hostname", "pulse pulses", "passive dns", "urls", "bhagam bhag", "home screen", "entries", "createdate", "title bhagam", "select xmp", "filehash", "malware", "format", "unknown", "meta", "as44273 host", "creation date", "moved", "encrypt", "district", "body", "window", "hall law", "a domains", "script urls", "datalayer", "registrar", "next", "accept encoding", "showing", "yara rule", "http host", "worm", "high", "possible", "win32", "bits", "cname", "as396982 google", "redacted for", "expiration date", "div div", "as26710 icann", "script domains", "citadel", "indonesia", "get updates", "write c", "create c", "read c", "show", "default", "common upatre", "upatre", "downloader", "zeus", "write", "execution", "regsetvalueexa", "regdword", "module load", "dock", "persistence", "as54113", "github pages", "formbook cnc", "checkin", "lowfi", "class", "trojan", "accept", "visa scheme", "mtb feb", "mtb jan", "romeo scheme", "exploitation", "pattern match", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "suricata udpv4", "facebook", "hybrid", "general", "model", "comspec", "click", "strings", "footer", "michelle", "nora", "hallrender", "name servers", "record value", "emails", "servers", "found", "gmt content", "error", "code", "men", "man", "woman", "hit", "sreredrum", "honey client", "hiv", "threat", "paste", "iocs", "urls https", "malicious site", "phishing site", "blockchain", "unsafe", "malware site", "malicious url", "phishtank", "cyber threat", "artemis", "asyncrat", "team", "cisco umbrella", "site", "safe site", "heur", "million", "xrat", "downldr", "union", "bank", "gvt google video transcoding", "malvertizing", "targeting", "target", "yandex dropper extend", "remote procedure call", "identity_helper.exe", "cookie bot" ], "references": [ "https://theorg.com", "Ransom: CVE-2023-4966", "Ransom: ransomed.vc", "FormBook: a4ec4c6ea1c92e2e6.awsglobalaccelerator.com", "Malware: http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | 103.246.145.111", "Malware: 0a6e883228a04a6e8738511a6210914dea1773d88cf57950c83e092f02c7f3bf - Other:Malware-gen\\ [Trj]", "Yara Detections invalid_trailer_structure , multiple_versions", "Malware Hosting IP addresses: 141.193.213.20 | 185.199.108.153| 185.199.110.153 | 185.199.111.153", "https://otx.alienvault.com/indicator/url/https://theorg.com/_next/data/Gh7c6NpBHZESb74aisPB8/org/springboard-collaborative.json?companySlug=springboard-collaborative", "Scanning host: 31.214.178.54 , 37.152.88.54", "Yara Detections: vad_contains_network_strings information | HackToolWin32Patch CodeOverlap | PWSWin32Phorex CodeOverlap", "Yara: TrojanDropperWin32Ropest | CodeOverlap TrojanWin32Gatsorm | CodeOverlap TrojanWinNTConficker | CodeOverlap Alerts: WormWin32Pykspa", "Aspnet collect: https://otx.alienvault.com/otxapi/indicators/file/screenshot/000444cc67b97f45f11e1fdf89ad8f5127c87aa858fe151fa9c4975276f53b42", "development.digitalphotogallery.com _YandexDropperExtend", "Emotet: FileHash-MD5 bafae95c36402dfc1ea5fa04523e4e81", "Emotet: FileHash-SHA256 db9d59b0f192c91f8ecf939c415b3252b13b0fb052d4a66ceefb80dfb43d6e8a |", "Emotet: FileHash-SHA1\t19c14ab0aaab2c1dd922f0baca3cf64056f80acc", "thevisafirm.com | Immigration Lawyers Capital Immigration Lawyers Green Card Lawyer [ London, DC] malicious", "www.hallinjurylaw.com |\tMinneapolis Personal Injury Lawyer Personal Injury Law Experts", "Malvertizing, Phishing, Botnet PWD: https://pin.it/ | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "Phishing, Botnet PWD:https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing | https://www.sweetheartvideo.com/tsara-brashears/ | www.sweetheartvideo.com", "https://hybrid-analysis.com/sample/ac09d7f6b26675a529a366b47bc09b3fd776576fb099c020f57204ff7b4ea31c", "CVE-2007-3896 | CVE-2023-22518 | CVE-2023-4966", "jpocxaar1---r3---sn-jpocxaa-a03e.gvt1.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Win32:Renos-KY\\ [Trj]", "display_name": "Win32:Renos-KY\\ [Trj]", "target": null }, { "id": "Win.Worm.Pykspa-1", "display_name": "Win.Worm.Pykspa-1", "target": null }, { "id": "Worm:Win32/Pykspa.C", "display_name": "Worm:Win32/Pykspa.C", "target": "/malware/Worm:Win32/Pykspa.C" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "ApolloLocker", "display_name": "ApolloLocker", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Media", "Immigration", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4567, "domain": 2576, "hostname": 1212, "FileHash-SHA256": 3836, "FileHash-MD5": 744, "FileHash-SHA1": 724, "CVE": 5, "email": 9, "SSLCertFingerprint": 1 }, "indicator_count": 13674, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "729 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eff46bdd371899ca5be7d7", "name": "CrypterX-gen | Video-lal.com | M. Brian Sabey \u2022 Hall Render | Rexxfield", "description": "Videolal results. Parked. Owner of domain has subsidiaries including Huge Domains. It's possible for attacker to post a 404 error page, park, post it for sale, malvertize. HoneyPotBot? \n\nFireeye. A bit much. william.ballenthin@fireeye.com\t\ncontain a resource (.rsrc) section moritz.raabe@fireeye.com. Overkill. What would Scooby Doo? Scooby!? \nTarget reports opening her MacBook Pro after it was replaced by Apple. It hadn't been in use. She opened it, surprised it was on, automatically connected to a store wifi (she was home) A worker was typing away in terminal. Fought hacker for recordings app containing Jeffrey Reimers aggressions. She lost. Terrified she murdered her MacBook by drowning & dismemberment. Big mistake. Cloned MacBook. Clicked on links trigger malicious downloads, network & DNS issues.", "modified": "2024-04-11T04:01:24.166000", "created": "2024-03-12T06:21:31.484000", "tags": [ "upatre malware", "rwi dtools", "page dow", "security", "bitfender", "yandex", "malware", "all octoseek", "av detections", "ids detections", "yara detections", "alerts", "file score", "fireeye", "injection", "worm", "trojan", "network", "poster", "honeybots", "united", "unknown", "win32upatre mar", "passive dns", "entries", "ipv4", "body", "artro", "generic malware", "formbook", "tag count", "threat report", "ip summary", "url summary", "generic", "hostnames", "pattern match", "ascii text", "png image", "root ca", "file", "authority", "indicator", "mitre att", "ck id", "class", "date", "enterprise", "hybrid", "accept", "general", "local", "click", "strings", "trident", "as47846", "germany unknown", "as2906 netflix", "scan endpoints", "domain", "urls", "files", "trojanspy", "mozilla", "dynamicloader", "medium", "title", "ms windows", "head", "intel", "inetsim http", "delete c", "show", "winnt", "copy", "powershell", "write", "next", "suspicious", "shop", "graph api", "status", "join", "vt community", "api key", "xcitium verdict", "cloud", "contacted", "contacted urls", "ssl certificate", "referrer", "historical ssl", "parent domain", "apple ios", "resolutions", "execution", "hacktool", "outbound connection", "detection list", "blacklist" ], "references": [ "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/ \u2022", "http://systemforex.de/search/redirect.php?f= | http://it.marksypark.com | dont-delete.hugedomains.com | http://selfsparkcentral.com", "william.ballenthin@fireeye.com contain a resource (.rsrc) section\tmoritz.raabe@fireeye.com | Pattern match: \"jloup@gzip.org\" & \"fancybox@3.5.7\"", "FormBook: 104.247.81.53 \u2022 http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Win32:CrypterX-gen\\ [Trj] | FileHash-MD5 6878e9896fdd84dcc11c997c9b7330ba", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA1 2e586f8db46953532b5e25e07add4dbaeea83a79", "Win32:CrypterX-gen\\ [Trj] | FileHash-SHA256 00027d11309d55312ae77f32d4ae79671c91f541e577bace7a5a5abde05563ad", "Win32/Renos: https://otx.alienvault.com/malware/ALF:JASYP:TrojanDownloader:Win32%2FRenos/", "Other:Malware-gen\\ [Trj] | FileHash-MD5 b5168dab50187b33460201b35b96dea7", "Other:Malware-gen\\ [Trj] | FileHash-SHA1 68868b3d0115e3d06f5fddb9d2ea6ad54270166c", "Other:Malware-gen\\ [Trj] | FileHash-SHA256 0000ba467dd40046e240c11251d9db03636d0e7c6f9f96354a46a441c2003143", "allocates_execute_remote_process \u2022 injection_write_memory \u2022 injection_resumethread \u2022 packer_entropy \u2022 network _icmp \u2022 injection_runpe", "injection_write_memory_exe \u2022 injection_ntsetcontextthread \u2022 dumped_buffer \u2022 checks_debugger \u2022 generates_crypto_key \u2022 antivm_memory_available", "CnC IP Addresses: 104.247.81.53 \u2022 185.64.219.6 \u2022 199.191.50.82 \u2022 203.107.45.167 \u2022 91.195.240.94 \u2022 167.235.143.33", "AA47 More AV Detection Ratio 984 / 1000 IDS Detections Win32.Renos/ArtroMALWARETrojan Checkin M1 Possible Fake AV Checkin Fakealert. AA47 More AV Detection Ratio 984 / 1000 IDS Detections /Trojan Checkin M1 Possible Fake AV Checkin Fakealert.", "Videolal: 18.119.154.66:80 (endpoint request) \u2022 54.209.32.212 \u2022 http://videolal.com (phishing) \u2022 http://videolal.com/ \u2022 videolal.com \u2022 www.videolal.com \u2022", "www.videolal.com \u2022 httpvideolal.com \u2022 https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct.html", "https://www.hugedomains.com/domain_profile.cfm?d=videolal.com \u2022 https://www.hugedomains.com/domain_profile.cfm?d=videolal.com\"", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html \u2022", "https://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "https://videolal.com/videos/tsara-brashears-assaulted-by-jeffrey-reimer-metlife-login-retirement.html \u2022 https://videolal.com/css/js/jquery-ui.min.js", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html \u2022 https://videolal.com/css/jquery-ui.css \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead.html \u2022 http://videolal.com/tsara-brashears.html \u2022 http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/jeffrey-reimer-dpt-sexual-misconduct.html \u2022 http://videolal.com/tsara-brashears.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html \u2022 http://videolal.com/the-man-who-built-america-1.html", "http://videolal.com/the-man-who-built-america-1.html \u2022 http://videolal.com/pinnacol-assurance-assaulted-by-jeffrey-", "http://videolal.com/jeffrey-reimer-dpt-physical-therapy-assaulted-patient.html \u2022 http://videolal.com/jeff-reimer-", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html \u2022", "http://videolal.com/jeff-reimer-dpt-buys-assault-victims-silence.html \u2022 http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/4998a7eac2a056833d01ee1e60c68c1f83f9ad6cd790ced9511e73cc12780f3c", "https://otx.alienvault.com/malware/Trojan:Win32%2FCrypterX/", "\u2192https://otx.alienvault.com/pulse/65eedf74b7bdda41057bef3e", "\u2192https://otx.alienvault.com/pulse/65ef3723d27863fc33a6b671", "\u2192https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "\u2192https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Win32.Renos/Artro", "display_name": "Win32.Renos/Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "I-Worm/Bagle.QE", "display_name": "I-Worm/Bagle.QE", "target": null }, { "id": "Worm.Bagle-44", "display_name": "Worm.Bagle-44", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "Win.Trojan.Generic-9897526-0", "display_name": "Win.Trojan.Generic-9897526-0", "target": null }, { "id": "Win.Trojan.Knigsfot-125", "display_name": "Win.Trojan.Knigsfot-125", "target": null }, { "id": "ALF:TrojanDownloader:Win32/Vadokrist.A", "display_name": "ALF:TrojanDownloader:Win32/Vadokrist.A", "target": null }, { "id": "Win.Trojan.Generic-9957168-0", "display_name": "Win.Trojan.Generic-9957168-0", "target": null }, { "id": "Win.Adware.RelevantKnowledge-9821121-0", "display_name": "Win.Adware.RelevantKnowledge-9821121-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "display_name": "ALF:HeraklezEval:Trojan:Win32/Neurevt", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1622, "FileHash-SHA1": 934, "FileHash-SHA256": 3289, "URL": 9605, "domain": 2321, "hostname": 2411, "CVE": 1, "email": 3 }, "indicator_count": 20186, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "738 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e863bebbf95e0dc5a4169a", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack expected", "description": "Network compromised updated Apple device was directed (303) to a server. This is one of several botnets found. onthewifi \u2206 {Win32:BotX-gen\\ [Trj]} \u2022 Injection process | Password bypass. Studies targets behavior | Checks for other devices | Glupteba: \n Glupteba is a trojan-type program, malicious software that installs other programs of this type. Cyber criminals can perform a number of actions of a malicious hacker's choice on your device.", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-06T12:38:22.052000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea6410c1e1b1185951ef98", "name": "Win32:BotX-gen\\ [Trj] \u2022Jays Youtube Bot.exe attack executed (Copy)", "description": "", "modified": "2024-04-05T12:00:46.637000", "created": "2024-03-08T01:04:16.906000", "tags": [ "referrer", "tsara brashears", "password bypass", "apple phone", "unlocker", "shell code", "script", "pe resource", "execution", "sneaky server", "emotet", "android", "download", "malware", "relic", "monitoring", "installer", "formbook", "urls", "contacted", "win32 exe", "parents", "type name", "msrsaapp", "files", "file type", "kb file", "b file", "graph", "pe32 executable", "ms windows", "intel", "generic cil", "executable", "mono", "win32 dynamic", "link library", "win16 ne", "samplename", "samplepath", "jays youtube", "rticon neutral", "details", "header intel", "name md5", "type", "language", "contained", "ico rtgroupicon", "neutral", "net technology", "corporation", "domains", "markmonitor inc", "malicious", "cnc", "network", "bypass password", "network probe", "dns query", "as20940", "united", "aaaa", "search", "showing", "date", "passive dns", "registrar", "unknown", "encrypt", "next", "domain", "emails", "name servers", "as199524", "record value", "rst seen", "last seen", "asn country", "cname", "as15169 google", "scan endpoints", "all octoseek", "pulse pulses", "files ip", "as4788", "address", "pulses", "win32", "entries", "dadjoke", "ms defender", "united kingdom", "germany unknown", "as46606", "as14061", "servers", "as12576 ee", "russia unknown", "as3320 deutsche", "gamaredon", "armageddon", "as8068", "script urls", "for privacy", "script domains", "certificate", "meta", "creation date", "as14627", "ipv4", "onthewifi", "as54113", "trojan", "flywheel", "sea x", "accept", "ransom", "post http", "langserbian", "sublangdefault", "rticon", "process32nextw", "medium", "t1055", "high", "ip address", "generic", "body", "markus", "june", "copy", "bitcoin" ], "references": [ "FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb", "FormBook: 45.159.189.105", "FormBook: http://45.159.189.105/bot/regex", "Emotet: www.youtube.com/watch?v=GyuMozsVyYs", "Relic: bam.nr-data.net [Apple Private Data Collection]", "capitana.onthewifi.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Cryptor", "display_name": "Win32:Cryptor", "target": null }, { "id": "Win.Virus.PolyRansom-5704625-0", "display_name": "Win.Virus.PolyRansom-5704625-0", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba.KM!MTB", "display_name": "Trojan:Win32/Glupteba.KM!MTB", "target": "/malware/Trojan:Win32/Glupteba.KM!MTB" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1188", "name": "Multi-hop Proxy", "display_name": "T1188 - Multi-hop Proxy" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" } ], "industries": [], "TLP": "green", "cloned_from": "65e863bebbf95e0dc5a4169a", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 307, "FileHash-SHA256": 3084, "URL": 3066, "domain": 1085, "hostname": 1709, "CVE": 1, "email": 7 }, "indicator_count": 9568, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "744 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a8cf2e7966af16a671", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:56.143000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d167a9c59fe757dc56b395", "name": "Mirai \u2022 Emotet \u2022 Injection VT & AlienVault reports deleted & modified", "description": "Remote actor uses injection, brute force and remote logins to delete incriminating pulse , virustotal and otx.alienvault pulses, nodes and/or graphs.\n\u2192https://myaccount.uscis.gov/- Immigration (DHS) Login. For years many tactics, social engineering and fraudulent activities persisted. Contact is made to American born citizens, to get in touch. A website is provided, homepage on affected devices is bogus, you have to call to address bogus government concern. Target calls redirected to a call center where they're told they have reached immigration, to verify PII, next told it's a mistake as they are not in the system. At some point meritless notification of Patriot Act violation is received. Identity theft occurs. Credit, bank and other accounts are cancelled. Likely away to gain legal access to spy on targets.", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-18T02:12:57.917000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3ae057e25854811cc1395", "name": "Mirai \u2022 Injection VT & AlienVault reports deleted & modified", "description": "", "modified": "2024-03-18T21:03:15.841000", "created": "2024-02-19T19:37:41.208000", "tags": [ "ssl certificate", "resolutions", "communicating", "historical ssl", "referrer", "united", "unknown", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "body", "read c", "write c", "show", "delete", "msie", "windows nt", "search", "read", "write", "default", "malware", "copy", "contacted", "execution", "contacted urls", "whois sslcert", "emotet", "creation date", "meta", "cookie", "pragma", "mozilla", "ms windows", "intel", "regsetvalueexa", "nsisinetc", "pe32", "class", "persistence", "code", "explorer", "toolbar", "next", "self", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "httponly", "html info", "us citizenship", "meta tags", "citizenship", "immigration", "trackers new", "relic na", "utc google", "tag manager", "gtm5h8hdq3", "ids detections", "title", "date", "entries", "content type", "a domains", "gmt server", "apache x", "path", "win32dh", "as46606", "slcc2", "media center", "temple", "port", "destination", "as29873 newfold", "digital", "as15169 google", "otx telemetry", "trojandropper", "trojan", "backdoor", "wabot", "apanas", "south korea", "as9318 sk", "as3786 lg", "china as4134", "get hello", "as4766 korea", "dlink router", "dsl2750b rce", "exploit", "mirai", "as21928", "china as4837", "gafgyt", "strings", "high priority", "pulses", "related tags", "file type", "sysv", "external", "virustotal", "as39962 pretecs", "canada unknown", "moved", "present dec", "server", "lifeweb server", "lifeweb", "encrypt", "accept", "malware infection", "yara detections", "icmp traffic", "top source", "top destination", "source source", "policy http", "client body", "wordpress login", "brain sabey", "hall render", "government", "https://myaccount.uscis.gov/", "attempted brute forcing", "remote handler", "junk data stuffing", "cyber threat", "human rights threat", "basic human rights", "collision", "collusion", "cultureneutral", "et trojan", "known hostile", "etpro trojan", "possible virut", "error", "stream", "vitro", "delphi", "form", "canvas" ], "references": [ "https://myaccount.uscis.gov/ \u2022 Immigration (DHS) Login \u2022", "https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/", "https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331", "High Priority IP\u2019s Contacted \u2022 network_irc nolookup_communication \u2022 network_cnc_http \u2022 network_http p2p_cnc \u2022 MethCallEngine", "Huawei Remote Command Execution - Outbound (CVE-2017-17215) \u2022 dead_host \u2022 network_icmp \u2022 osquery_detection", "Mirai Variant Checkin Response \u2022 D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) \u2022 Domains Contacted ntp.ubuntu.com", "Yara Detections: GlassesCode" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland", "Cyprus", "Sweden", "Australia", "Canada", "Hong Kong", "India", "Japan" ], "malware_families": [ { "id": "Win.Trojan.6977536-1", "display_name": "Win.Trojan.6977536-1", "target": null }, { "id": "Nebuler/Dialer.qn", "display_name": "Nebuler/Dialer.qn", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Win32/DH{gVIJAw?}", "display_name": "Win32/DH{gVIJAw?}", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Win32/Tinba!rfn", "display_name": "Trojan:Win32/Tinba!rfn", "target": "/malware/Trojan:Win32/Tinba!rfn" }, { "id": "Win32:Emotet-AI\\ [Trj]", "display_name": "Win32:Emotet-AI\\ [Trj]", "target": null }, { "id": "Win.Trojan.Generic-6333842-0", "display_name": "Win.Trojan.Generic-6333842-0", "target": null }, { "id": "Win32/CMSBrute/Pifagor", "display_name": "Win32/CMSBrute/Pifagor", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32:Vitro", "display_name": "Win32:Vitro", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65d167a9c59fe757dc56b395", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7636, "URL": 4080, "domain": 3917, "hostname": 1617, "FileHash-MD5": 1284, "FileHash-SHA1": 1213, "SSLCertFingerprint": 3, "CVE": 1 }, "indicator_count": 19751, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "761 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://zzciai.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://zzciai.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615367.1576972 }