{ "type": "Domain", "indicator": "hyperiumhost.com.br", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hyperiumhost.com.br", "alexa": "http://www.alexa.com/siteinfo/hyperiumhost.com.br", "indicator": "hyperiumhost.com.br", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3850753714, "indicator": "hyperiumhost.com.br", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b39b3cf3cb86d14ccd811", "name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders", "description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.", "modified": "2025-12-05T11:00:41.797000", "created": "2025-11-05T11:49:07.495000", "tags": [ "chadsualberta" ], "references": [ "https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark", "https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc", "ThreatZone - Malicious", "https://tria.ge/251105-yvvzgssldn", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188", "Email: chads@ualberta[.]ca" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 120, "FileHash-SHA1": 120, "FileHash-SHA256": 1809, "URL": 603, "domain": 396, "hostname": 514 }, "indicator_count": 3562, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675403ebdfc5bb1288b8b0b", "name": "Sakula RAT | Remote Attacks | Mirai | Piracy", "description": "", "modified": "2024-07-21T08:03:04.249000", "created": "2024-06-21T08:56:30.887000", "tags": [ "historical ssl", "remote", "high level", "hackers", "unknown win", "executable", "highly targeted", "cyber attack", "spotify artist", "sakula rat", "div div", "a div", "unknown", "united", "search", "nubile cowgirl", "mommy", "businessman", "slavegirl", "busty brunette", "date", "meta", "name servers", "status", "aaaa", "certificate", "cookie", "next", "log id", "gmtn", "go daddy", "authority", "tls web", "passive dns", "urls", "arizona", "scottsdale", "ca issuers", "false", "virgin islands", "as44273 host", "cname", "as19905", "creation date", "pulses", "trojan", "as22612", "react app", "verizon feed", "error", "typeof e", "body", "path", "info", "trace", "pulse submit", "url analysis", "files", "domain", "files ip", "external", "whois", "window", "as133618", "nxdomain", "coco", "elsa jean", "katrina jade", "amazing girls", "puffy nipples", "all scoreblue", "ipv4", "pulse pulses", "location virgin", "as133775 xiamen", "germany unknown", "florence co", "tsara brashears", "scan endpoints", "ip address", "ip related", "pulses otx", "redacted for", "for privacy", "dnssec", "as49870 alsycon", "as49305 map", "as24940 hetzner", "moved", "a domains", "encrypt", "showing", "expiration date", "as19527 google", "as397240", "get http", "read c", "write c", "et trojan", "dcom port", "possible", "host sinkhole", "write", "win32", "artemis", "malware", "nivdort", "zeus gameover", "copy", "xserver", "apple", "intellectual property theft", "dns replication", "type name", "replication", "domains", "ripe ncc", "ripe network", "whois lookups", "as49870 city", "abuse contact", "orgid", "mohammed zourob", "address", "orgabuseref", "mirai", "honeypot ips", "collection", "referrer", "mirai malware", "relacionada", "mirai 03042024", "bashlite", "sha256", "sha1", "windows nt", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "june", "local", "click", "strings", "contact", "as34788", "title", "body doctype", "html public", "ietfdtd html", "gmt server", "service", "apache", "targeting", "piracy" ], "references": [ "Sakula RAT - www.polarroute.com-CnC", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Win32:Malware-gen : watchhers.net", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "Win32:Malware-gen: message.htm.com", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Germany", "United States of America" ], "malware_families": [ { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null }, { "id": "a variant of Win32/Bayrob.BL", "display_name": "a variant of Win32/Bayrob.BL", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan.Bayrob!gen9", "display_name": "Trojan.Bayrob!gen9", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "HEUR:Trojan.Win32.Generic", "display_name": "HEUR:Trojan.Win32.Generic", "target": null }, { "id": "Mal/Bayrob-C ,", "display_name": "Mal/Bayrob-C ,", "target": null }, { "id": "DownLoader24.56470", "display_name": "DownLoader24.56470", "target": null }, { "id": "Trojan/Win32.Nivdort.C1321145", "display_name": "Trojan/Win32.Nivdort.C1321145", "target": null }, { "id": "Backdoor:Linux/Mirai.AY!MTB", "display_name": "Backdoor:Linux/Mirai.AY!MTB", "target": "/malware/Backdoor:Linux/Mirai.AY!MTB" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6903, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1390, "FileHash-MD5": 97, "FileHash-SHA1": 91, "FileHash-SHA256": 1341, "URL": 3993, "domain": 1903, "email": 11, "SSLCertFingerprint": 4, "CIDR": 2 }, "indicator_count": 8832, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Yara : MS_Visual_Basic_6_0 ,", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "Alerts: mouse_movement_detect", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "Win32:Malware-gen: message.htm.com", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Sakula RAT - www.polarroute.com-CnC", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Win32:Malware-gen : watchhers.net", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "Yara: Detections ConventionEngine_Term_Users", "https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc", "www.techcult.com", "Email: chads@ualberta[.]ca", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "ThreatZone - Malicious", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "https://tria.ge/251105-yvvzgssldn", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "Foundry stalking.", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win32:malware-gen", "Trojan.bayrob!gen9", "Alf:trojan:win32/cassini_56a3061!ibt", "A variant of win32/bayrob.bl", "Mal/bayrob-c ,", "Downloader24.56470", "Backdoor:linux/mirai.ay!mtb", "Sakula rat", "Trojandropper:win32/vb.il0", "Heur:trojan.win32.generic", "Trojan", "Win.ransomware.msilzilla-10014498-0", "Unix.trojan.tsunami-6981155-0", "Trojan/win32.nivdort.c1321145" ], "industries": [ "Education", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b39b3cf3cb86d14ccd811", "name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders", "description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.", "modified": "2025-12-05T11:00:41.797000", "created": "2025-11-05T11:49:07.495000", "tags": [ "chadsualberta" ], "references": [ "https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark", "https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc", "ThreatZone - Malicious", "https://tria.ge/251105-yvvzgssldn", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495", "https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188", "Email: chads@ualberta[.]ca" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 120, "FileHash-SHA1": 120, "FileHash-SHA256": 1809, "URL": 603, "domain": 396, "hostname": 514 }, "indicator_count": 3562, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675403ebdfc5bb1288b8b0b", "name": "Sakula RAT | Remote Attacks | Mirai | Piracy", "description": "", "modified": "2024-07-21T08:03:04.249000", "created": "2024-06-21T08:56:30.887000", "tags": [ "historical ssl", "remote", "high level", "hackers", "unknown win", "executable", "highly targeted", "cyber attack", "spotify artist", "sakula rat", "div div", "a div", "unknown", "united", "search", "nubile cowgirl", "mommy", "businessman", "slavegirl", "busty brunette", "date", "meta", "name servers", "status", "aaaa", "certificate", "cookie", "next", "log id", "gmtn", "go daddy", "authority", "tls web", "passive dns", "urls", "arizona", "scottsdale", "ca issuers", "false", "virgin islands", "as44273 host", "cname", "as19905", "creation date", "pulses", "trojan", "as22612", "react app", "verizon feed", "error", "typeof e", "body", "path", "info", "trace", "pulse submit", "url analysis", "files", "domain", "files ip", "external", "whois", "window", "as133618", "nxdomain", "coco", "elsa jean", "katrina jade", "amazing girls", "puffy nipples", "all scoreblue", "ipv4", "pulse pulses", "location virgin", "as133775 xiamen", "germany unknown", "florence co", "tsara brashears", "scan endpoints", "ip address", "ip related", "pulses otx", "redacted for", "for privacy", "dnssec", "as49870 alsycon", "as49305 map", "as24940 hetzner", "moved", "a domains", "encrypt", "showing", "expiration date", "as19527 google", "as397240", "get http", "read c", "write c", "et trojan", "dcom port", "possible", "host sinkhole", "write", "win32", "artemis", "malware", "nivdort", "zeus gameover", "copy", "xserver", "apple", "intellectual property theft", "dns replication", "type name", "replication", "domains", "ripe ncc", "ripe network", "whois lookups", "as49870 city", "abuse contact", "orgid", "mohammed zourob", "address", "orgabuseref", "mirai", "honeypot ips", "collection", "referrer", "mirai malware", "relacionada", "mirai 03042024", "bashlite", "sha256", "sha1", "windows nt", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "june", "local", "click", "strings", "contact", "as34788", "title", "body doctype", "html public", "ietfdtd html", "gmt server", "service", "apache", "targeting", "piracy" ], "references": [ "Sakula RAT - www.polarroute.com-CnC", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Win32:Malware-gen : watchhers.net", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "Win32:Malware-gen: message.htm.com", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Germany", "United States of America" ], "malware_families": [ { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null }, { "id": "a variant of Win32/Bayrob.BL", "display_name": "a variant of Win32/Bayrob.BL", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan.Bayrob!gen9", "display_name": "Trojan.Bayrob!gen9", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "HEUR:Trojan.Win32.Generic", "display_name": "HEUR:Trojan.Win32.Generic", "target": null }, { "id": "Mal/Bayrob-C ,", "display_name": "Mal/Bayrob-C ,", "target": null }, { "id": "DownLoader24.56470", "display_name": "DownLoader24.56470", "target": null }, { "id": "Trojan/Win32.Nivdort.C1321145", "display_name": "Trojan/Win32.Nivdort.C1321145", "target": null }, { "id": "Backdoor:Linux/Mirai.AY!MTB", "display_name": "Backdoor:Linux/Mirai.AY!MTB", "target": "/malware/Backdoor:Linux/Mirai.AY!MTB" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6903, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1390, "FileHash-MD5": 97, "FileHash-SHA1": 91, "FileHash-SHA256": 1341, "URL": 3993, "domain": 1903, "email": 11, "SSLCertFingerprint": 4, "CIDR": 2 }, "indicator_count": 8832, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hyperiumhost.com.br", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hyperiumhost.com.br", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780414901.903165 }