{ "type": "Domain", "indicator": "keyauth.win", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/keyauth.win", "alexa": "http://www.alexa.com/siteinfo/keyauth.win", "indicator": "keyauth.win", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3393637723, "indicator": "keyauth.win", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6a19a9e96af10a628d3410f6", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:53.153000", "created": "2026-05-29T14:59:53.153000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a19a9e76f31858c39e74d24", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:51.891000", "created": "2026-05-29T14:59:51.891000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c60b402cd173d2b4aed0c6", "name": "pastebin", "description": "", "modified": "2026-04-26T04:18:29.754000", "created": "2026-03-27T04:44:48.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 223, "domain": 17, "hostname": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bc6425a5a36e17f26a46c0", "name": "ipify", "description": "", "modified": "2026-04-18T20:50:15.889000", "created": "2026-03-19T21:01:25.784000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 38, "FileHash-SHA256": 251, "URL": 38, "domain": 4, "hostname": 3 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b63553f456643631f3e4a4", "name": "pastebin", "description": "", "modified": "2026-04-14T04:40:38.996000", "created": "2026-03-15T04:28:03.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 55, "FileHash-SHA1": 52, "FileHash-SHA256": 414, "domain": 27, "hostname": 15 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a17cdcb0b2304208813be1", "name": "check", "description": "", "modified": "2026-01-10T04:26:04.027000", "created": "2025-08-17T06:55:24.949000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 84, "FileHash-SHA256": 326, "URL": 114, "domain": 3, "hostname": 13 }, "indicator_count": 598, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6852142c057d96009f4bf277", "name": "effects-removal", "description": "", "modified": "2025-12-30T01:36:58.417000", "created": "2025-06-18T01:19:40.701000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 296, "FileHash-MD5": 78, "FileHash-SHA1": 51, "FileHash-SHA256": 165, "domain": 128, "hostname": 70 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685a3ec8f4cd57fdd6dce0b7", "name": "remkos2", "description": "", "modified": "2025-12-22T00:24:52.539000", "created": "2025-06-24T05:59:36.238000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 70, "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 175, "URL": 185 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6878fa76ef0fc60c55547527", "name": "ipwhois", "description": "", "modified": "2025-12-19T23:39:48.219000", "created": "2025-07-17T13:28:22.909000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 216, "FileHash-MD5": 73, "FileHash-SHA1": 76, "FileHash-SHA256": 395, "domain": 23, "hostname": 21 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691007925f370e350169ff23", "name": "check", "description": "", "modified": "2025-12-15T02:10:20.572000", "created": "2025-11-09T03:16:34.163000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 147, "FileHash-MD5": 38, "FileHash-SHA1": 39, "FileHash-SHA256": 479, "domain": 28, "hostname": 13 }, "indicator_count": 744, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "167 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682e41cb1d50ed21c4f55224", "name": "www.filescan.io feed 21 May 2025", "description": "", "modified": "2025-12-04T01:09:57.636000", "created": "2025-05-21T21:12:43.996000", "tags": [], "references": [ "https://www.filescan.io/api/feed/reports" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1704, "FileHash-SHA1": 1702, "FileHash-SHA256": 1854, "URL": 1400, "domain": 248, "email": 20, "hostname": 122 }, "indicator_count": 7050, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f80c6bcd3fff3a4f126a68", "name": "Sventore \u2022 Agent Tesla Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information ", "description": "", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T22:42:51.657000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "68f7ced2cf17d264b49628bc", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7ced2cf17d264b49628bc", "name": "NIDS - Affecting targeted Dropbox & EBay Accounts accessing , using or deleting information", "description": "Multiple malware\u2019s targeting Dropbox & Ebay accounts. Referenced in earlier pukses. Further investigation shows link found in apps on multiple Apple devices. Afraid. Org still running & wreaking havoc globally. Currently targets a Music studio in Clear Creek County Co. The signal bounces from Fire station directly to studio gaining full access to everything.\n\nI am very disappointed with the abuses in f the Palantir , Gotham , Foundry products being abused by law firms and Private Investigators.\nIt is very destructive, causing loss, these firms are literally stealing and making money with other people\u2019s intellectual property and tough luck on the actual inventor, artist, writer because they even steal , cancel your insurance or back accounts leaving you unable to make a claim. \n\nGreat discretion should be used to qualify for these tools used to track, terrorize and access private information as well as tarnish the names of civilians , family ,businesses, stalking tracking known location.", "modified": "2025-11-20T17:00:05.377000", "created": "2025-10-21T18:20:02.120000", "tags": [ "united", "urls", "domain", "files", "files ip", "td td", "td tr", "a td", "dynamic dns", "arial", "worm", "trojandropper", "meta", "null", "enough", "hosts", "win32", "fast", "present oct", "present jul", "present sep", "present aug", "moved", "ip address", "error", "title", "ipv4 add", "url analysis", "hosting", "reverse dns", "america flag", "name servers", "body", "a domains", "passive dns", "welcome", "ok server", "gmt content", "twitter", "dynamicloader", "write c", "medium", "myapp", "high", "host", "delphi", "write", "code", "malware", "device driver", "backdoor", "msil", "present mar", "apanas", "regsetvalueexa", "msie", "windows nt", "wow64", "slcc2", "media center", "langturkish", "sublangdefault", "regdword", "persistence", "execution", "nids", "zegost", "trojan", "win32fugrafa", "malwarexgen att", "ck ids", "t1040", "sniffing", "location united", "united states", "KeyAuth Open-source Authentication System Domain (keyauth .win) ", "yara rule", "search", "blobx00x00x00", "guard", "encrypt", "afraid", "smartphone", "laptop", "tablet", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "ascii text", "size", "mitre att", "show technique", "refresh", "span", "hybrid", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "access att", "t1566 phishing", "font", "pattern match", "general", "contact", "premium", "never", "core", "external system", "http header", "network traffic", "sample", "antivirus", "systems found", "ipurl artifact", "network related", "sends traffic", "http outbound", "hostname add", "address", "registrar", "internet ltd", "livedomains", "creation date", "hostname", "domain add", "modrg", "sincpoatia", "utf8", "appdata", "temp", "fyfdz", "iepgq", "trlew", "copy", "kentuchy", "oljnmrfghb", "powershell", "sabey", "sokolove law" ], "references": [ "afraid.org | evergreen.afraid.org", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "https://api.strem.io/api/addonCollectionGet%", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "aohhpesayw.lawsonengineers.co.", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "gitea.neconsside.com \u2022 http://f7194.vip/login", "2012647\tDropbox.com Offsite File Backup in Use", "target.dropboxbusiness.com", "consolefoundry.date \u2022 http://consolefoundry.date", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Neshta", "display_name": "Neshta", "target": null }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Worm:Win32/AutoRun.XXY!bit", "display_name": "Worm:Win32/AutoRun.XXY!bit", "target": "/malware/Worm:Win32/AutoRun.XXY!bit" }, { "id": "MalwareX-Gen", "display_name": "MalwareX-Gen", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Worm:Win32/AutoRun.B", "display_name": "Worm:Win32/AutoRun.B", "target": "/malware/Worm:Win32/AutoRun.B" }, { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "Kentuchy", "display_name": "Kentuchy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 483, "hostname": 1397, "URL": 2874, "email": 2, "FileHash-MD5": 369, "FileHash-SHA1": 355, "FileHash-SHA256": 1534, "SSLCertFingerprint": 7 }, "indicator_count": 7021, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d62e5e038c036204e489ba", "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |", "description": "DiabloFans.com redirects to curse.llc a shopify storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C", "modified": "2025-10-26T05:01:11.780000", "created": "2025-09-26T06:10:38.550000", "tags": [ "handle", "entity", "host name", "rdap database", "iana registrar", "roles", "dnssec", "links", "namecheap", "namecheap inc", "script urls", "united", "unknown ns", "moved", "script domains", "passive dns", "ip address", "body", "gmt content", "type", "title", "date", "meta", "request", "get updates", "common upatre", "p2p zeus", "common header", "struct", "downloader", "exe download", "terse", "regsetvalueexa", "execution", "dock", "write", "next", "win32", "persistence", "malware", "copy", "unknown", "canada unknown", "alfper", "entries", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location canada", "twitter", "present sep", "cname", "name servers", "search", "creation date", "canada", "certificate", "trojan", "ontario", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "development att", "href", "show technique", "mitre att", "ck matrix", "script", "network related", "input url", "network traffic", "t1204", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "flag", "canada canada", "strings", "cloudflar", "google", "googlecl", "facebook", "as autonomous", "system", "hetznera", "detail domain", "domain tree", "links domain", "requested", "url https", "general full", "name value", "resource", "asn13335", "cloudflarenet", "hash", "protocol h3", "express", "value", "please", "automatic", "webgl", "september", "variables", "shopify", "shopifypay", "st boolean", "shopifyforms", "raven", "hstr", "next associated", "mtb may", "ipv4 add", "trojanspy", "trojandropper", "span", "path", "button", "circle", "link", "keychains", "choose", "input", "small", "close", "form", "stop", "anime", "kitty", "iframe", "null", "open", "tarot", "footer", "curse", "first", "back", "error", "config", "contact", "signs", "main", "payment", "window" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 236, "FileHash-MD5": 320, "FileHash-SHA1": 314, "FileHash-SHA256": 2288, "URL": 889, "hostname": 361, "SSLCertFingerprint": 1, "email": 2, "CVE": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c954a80675ccc89b0e9b63", "name": "Trump #45470 | Palantir container | virus:DOS/Hellspawn + ioS (compromised)", "description": "Overt. Trump support campaign text message from #45470. Malicious. Received on a victims hyper compromised iPhone. Attempts to or did take CnC of device. Stutters device, changed App Store , has delete service, device sweep, shuts down service , halts all pages, denial of service, throttles service, steals\npasswords, bots , I don\u2019t know if device can be refurbished or research purposes - Palantir DC DGA domains - Trump. Multiple IoC\u2019s , malware with code overlap, it appears to be from a legitimate text for updates #. Visibly affected all aspects of device and software. Commands device shut down. \n[OTX populated: Failed to retrieve suggested indicator for beta-ui, according to the latest results from the Welsh Government's Office for National Statistics (ONS) and the National Data Centre (NDS))", "modified": "2025-10-16T12:03:14.279000", "created": "2025-09-16T12:14:32.327000", "tags": [ "ttl value", "extraction", "data upload", "failed", "extra data", "include review", "exclude sugges", "stop", "line", "path", "polyline", "getprocaddress", "circle", "span", "ck id", "mitre att", "ck matrix", "null", "error", "open", "spinner", "title", "code", "iframe", "window", "void", "infinity", "crypto", "footer", "generator", "general", "format", "click", "strings", "meta", "install", "encoder", "learn", "command", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "file defense", "adversaries", "calls", "reads", "defense evasion", "model", "server", "registrar abuse", "ascio", "contact phone", "admin city", "admin country", "admin postal", "dnssec", "http", "ip address", "passive dns", "related nids", "urls", "files location", "united", "flag united", "a domains", "search", "unknown aaaa", "certificate", "yara detections", "av detections", "ids detections", "alerts", "entries elf", "filehash", "name servers", "servers", "moved", "script script", "aaaa", "unknown ns", "domain add", "formbook cnc", "checkin", "lowfi", "mtb jun", "github pages", "twitter", "accept", "cryptobit", "extra", "referen data", "trojanproxy", "dynamicloader", "high", "write c", "medium", "intel", "ms windows", "entries", "pe32", "explorer", "worm", "write", "next", "trojan", "hellspawn", "md5 add", "malware", "data", "included iocs", "script urls", "script domains", "gmt content", "cash amtincart", "expirestue", "domain related", "sea x", "accept encoding", "request id", "body doctype", "apache", "encrypt", "skynet", "third eye tv", "calling", "delete app", "potus", "mtb aug", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "ipv4 add", "utilads", "trojandropper", "mtb sep", "win32upatre aug", "yara rule", "as15169", "guard", "smartassembly", "associated urls", "date checked", "url hostname", "server response", "domain", "url analysis", "files", "date", "delete service", "45470", "text", "hybrid", "present sep", "body", "fastly error", "please", "xor xor", "sha256 add", "analysis date", "file score", "detections alf", "june", "delphi", "attempts", "yara", "high security", "file type", "pe packer", "ransom" ], "references": [ "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "hasownproperty.call \u2022 fireeye.grhd.", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "TrojanProxy:Win32/Malynfits", "display_name": "TrojanProxy:Win32/Malynfits", "target": "/malware/TrojanProxy:Win32/Malynfits" }, { "id": "Virus:Win32/Lywer", "display_name": "Virus:Win32/Lywer", "target": "/malware/Virus:Win32/Lywer" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Virus:DOS/Hellspawn", "display_name": "Virus:DOS/Hellspawn", "target": "/malware/Virus:DOS/Hellspawn" }, { "id": "Win.Trojan.Dialer-266", "display_name": "Win.Trojan.Dialer-266", "target": null }, { "id": "AgentTesla", "display_name": "AgentTesla", "target": null }, { "id": "Backdoor:MSIL/Remcos", "display_name": "Backdoor:MSIL/Remcos", "target": "/malware/Backdoor:MSIL/Remcos" }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "#LowFI:VBExpensiveLoop", "display_name": "#LowFI:VBExpensiveLoop", "target": null }, { "id": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "display_name": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 690, "URL": 1479, "domain": 476, "FileHash-MD5": 526, "FileHash-SHA1": 505, "FileHash-SHA256": 1509, "email": 6 }, "indicator_count": 5191, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581f00305e165540ccb45e2", "name": "quick look at rentry.co", "description": "", "modified": "2025-07-07T00:23:19.307000", "created": "2023-12-19T19:33:23.179000", "tags": [], "references": [ "https://www.virustotal.com/graph/gce53607a8779403cb61fb1fd424d648cdacbe19e4eab410ab9d84de3f57a1610" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 243, "FileHash-SHA1": 243, "FileHash-SHA256": 1222, "URL": 27, "domain": 8, "hostname": 2 }, "indicator_count": 1745, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6830ca10f16af5c6c7110161", "name": "Malware Hosting || Apple browser agent transmits data to New Relic", "description": "IOC (https://www.delphi.ai/bill-clinton)Title: Delphi: || application-name\nDelphi\nmask-icon\n/safari-pinned-tab.svg?v=2 (favicons is a line of code that loads another SVG image, one called safari-pinned-tab. svg . to support Safari's pinned tab functionality, which existed before other browsers had SVG favicon support.)||\n\u2022142.251.143.202- exploit_source |\t\t \n\u2022185.199.108.133 - malware_hosting |\t\n*185.199.109.133 - malware_hosting. |\n\u2022185.199.110.133 - malware_hosting | \nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian -phishing |\n185.199.111.133\nmalware_hosting\t\n|| malicious features,, malicious code, .ai , exploit, spyware, apple monitoring nr-data.net > transmits data to New Relic, || IIOC may have expired or be parked.", "modified": "2025-06-22T18:05:31.015000", "created": "2025-05-23T19:18:40.395000", "tags": [ "delphi meta", "tags viewport", "delphi maskicon", "utc google", "tag manager", "gtmmszhw3t7", "utc g3j5p98dsnr", "utc linkedin", "insight tag", "date sun", "gmt contenttype", "connection", "cachecontrol", "slug", "miss", "server", "status code", "body length", "kb body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 120, "FileHash-SHA1": 120, "FileHash-SHA256": 579, "URL": 8, "domain": 12, "hostname": 45 }, "indicator_count": 884, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a55c4a67e2ca75db25d406", "name": "Malware dataset 20250206 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2025-02-07T01:05:14.905000", "created": "2025-02-07T01:05:14.905000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ec4c1b8d279f7bf6bd822", "name": "Malware dataset 20250201 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2025-02-02T01:05:05.664000", "created": "2025-02-02T01:05:05.664000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 8 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "483 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6785b844248266c092b4d152", "name": "Malware dataset 20250113 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2025-01-14T01:05:08.307000", "created": "2025-01-14T01:05:08.307000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 6 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "502 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c9a414d2ecc2382c2184c8", "name": "Associated artifacts by file: Trojan: Win32/Uwamson.A!ml", "description": "Associated artifacts of file identified by Microsoft as Trojan Win32/Uwamson.A!ml [SHA256: d1aefc0f7a1a1ef63b959bf8fb0dbf960a6af3d88d3ee69b0e2f0f739326818c]", "modified": "2024-09-23T09:03:54.724000", "created": "2024-08-24T09:12:52.282000", "tags": [ "trojan", "win32" ], "references": [ "https://www.virustotal.com/gui/file/d1aefc0f7a1a1ef63b959bf8fb0dbf960a6af3d88d3ee69b0e2f0f739326818c", "https://www.virustotal.com/graph/embed/gbc071fd91d6e4a67ac7421a2d0973d5297f478a817104d49ad9077cfee1e2eaa?theme=dark", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Program:Win32/Uwamson.A!ml&threatId=250070", "https://www.fortiguard.com/encyclopedia/virus/10086605" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Trojan:Win32/Uwamson.A!ml", "display_name": "#Trojan:Win32/Uwamson.A!ml", "target": "/malware/#Trojan:Win32/Uwamson.A!ml" }, { "id": "#LOWFI:HSTR:MSIL/Obfuscator", "display_name": "#LOWFI:HSTR:MSIL/Obfuscator", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "weekndr_sec", "id": "288004", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_288004/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 29, "domain": 1 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb1903bb12a0d4b524a0fb", "name": "HCA Healthcloid | Cellco\u00bb Adversary in the Middle | Swipper Verizon Block ", "description": "", "modified": "2024-09-18T18:16:35.396000", "created": "2024-09-18T18:16:35.396000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "619 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ba9198fd69c93fabece38d", "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring", "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.", "modified": "2024-09-18T18:12:03.438000", "created": "2024-08-12T22:50:00.127000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 51, "CIDR": 11, "URL": 280, "hostname": 426, "FileHash-SHA256": 4334, "domain": 180, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9771, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cb6092ed7d61b3a370d6cd", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:41:55.890000", "created": "2024-08-25T16:49:22.975000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66ba9198fd69c93fabece38d", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 24, "CIDR": 8, "URL": 190, "hostname": 370, "FileHash-SHA256": 4319, "domain": 176, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9576, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d496e04d8fa0cc8d528941", "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ", "description": "", "modified": "2024-09-12T00:25:51.199000", "created": "2024-09-01T16:31:28.909000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66cb6092ed7d61b3a370d6cd", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66626586cce1475041e3646e", "name": "cab96d2.tmp (temp)", "description": "", "modified": "2024-07-07T01:06:11.854000", "created": "2024-06-07T01:42:30.156000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/graph/gcfca29b8f52b4781b50acdf677cfdd96c19606d2c3304ba9a2c96caffb7db31b" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 687, "URL": 5, "domain": 2, "hostname": 2 }, "indicator_count": 696, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "693 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662314c6e076127495fa45e2", "name": "Malware dataset 20240419 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2024-04-20T01:05:10.180000", "created": "2024-04-20T01:05:10.180000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "domain": 33 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "771 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660cab402a7b91ef0b9ebc45", "name": "Malware dataset 20240402 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2024-04-03T01:05:04.686000", "created": "2024-04-03T01:05:04.686000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "domain": 30 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "788 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f641c0ce52438ffa541a52", "name": "Malware dataset 20240316 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2024-03-17T01:05:04.241000", "created": "2024-03-17T01:05:04.241000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "805 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c1a3462dae3a7d8714b", "name": "IOC202306052234", "description": "", "modified": "2023-12-06T16:06:50.890000", "created": "2023-12-06T16:06:50.890000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1096, "FileHash-MD5": 307, "FileHash-SHA1": 268, "domain": 265, "CVE": 6, "hostname": 246, "URL": 29 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6536fe7706b7eeaa7ab5c271", "name": "CVE-2005-0068", "description": "A summary of the major vulnerabilities in the ICMP software, published by the Australian government on 1 January 2008.. the first such vulnerability to be identified in this year's Security Research Review (SSR).", "modified": "2023-11-28T06:04:19.908000", "created": "2023-10-23T23:15:03.507000", "tags": [ "icmp", "icmp error", "split", "files", "exploits", "targeted", "cve overview", "source quench", "path mtu", "cve20040791" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "URL": 1768, "hostname": 1200, "FileHash-SHA256": 6469, "domain": 2139, "email": 25, "FileHash-MD5": 1296, "FileHash-SHA1": 1287, "JA3": 2 }, "indicator_count": 14193, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "914 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65595f406f2c667286e35ea0", "name": "Malware dataset 20231118 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2023-11-19T01:05:04.480000", "created": "2023-11-19T01:05:04.480000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 9 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "924 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647e46cde36f3b047c03f8db", "name": "IOC202306052234", "description": "", "modified": "2023-07-05T20:01:39.023000", "created": "2023-06-05T20:34:21.028000", "tags": [ "june", "seen", "track them", "all at", "chatgpt", "april", "march", "recent blog", "february", "lockbit", "smoke loader", "qbot", "predator", "emotet", "danabot", "gandcrab", "orcus rat", "icedid", "sodinokibi", "agent tesla", "ave maria", "gootkit", "cobalt strike", "dharma", "hawkeye", "trojan", "zloader", "formbook", "crimson rat", "trickbot", "nemty", "netwalker", "pony", "glupteba", "azorult", "dridex", "hancitor", "raccoon", "maze", "vidar", "ryuk ransomware", "guloader", "amadey", "adwind", "quasar rat", "troldesh", "rats", "remcos", "revenge", "ursnif", "cryptbot", "flawedammyy", "phobos", "august", "snake", "ryuk", "quasar", "netwire", "darkside", "redline", "asyncrat", "ransomware", "darkcomet", "wannacry", "nanocore", "lokibot", "orcus", "thief", "malware", "systembc", "powershell", "adwind rat", "squirrelwaffle", "redline stealer", "bitcoin", "open", "copy", "ukraine", "nanocore rat", "houdini", "revenge rat", "dyre", "first", "eternalblue", "fallout", "smokeloader", "dofoil", "macos", "predator pain", "revil", "wcry ransomware", "bladabindi", "teamviewer", "agenttesla", "belarus", "cobaltstrike", "hermes", "execution", "crimson", "crysis", "shadow", "njrat", "next", "loader", "malspam", "ransom", "mimikatz", "cloudeye", "hworm", "friendly", "napoleon", "qakbot", "click", "ammyy admin", "flawedammy", "andromut", "vawtrak", "windigo", "mailto", "kill", "desktop", "discord", "loki bot", "mars", "apart", "smokeldr", "racealer", "hunter", "psexec", "mega", "cve201711882", "maldoc", "dunihi", "jenxcus", "xtremerat", "poisonivy", "fareit", "siplog", "gozi", "egregor", "browserpassview", "mailpassview", "aggah", "virustotal", "pinkslipbot", "path", "chacha", "spelevo", "killswitch", "sockrat", "mexico", "alienspy", "chthonic", "aurora", "winrar", "bokbot", "ammyy", "servhelper", "neutrino", "angler", "chanitor", "teamspy", "axpergle", "nuclear", "cridex", "service", "scarimson", "sticky", "terdot", "zbot", "panda banker", "screen", "polish" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1220", "name": "XSL Script Processing", "display_name": "T1220 - XSL Script Processing" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlessandroFiori", "id": "91912", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "FileHash-MD5": 307, "FileHash-SHA1": 268, "FileHash-SHA256": 1096, "CVE": 6, "domain": 265, "hostname": 246 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 424, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63d50f75c25f8a4c347692a7", "name": "AgentTesla malware indicators | 20230127", "description": "Indicators of compromise extracted from analyzed samples of AgentTesla malware family. This report only includes a subset of the samples analyzed on 20230127.", "modified": "2023-01-28T12:05:09.889000", "created": "2023-01-28T12:05:09.889000", "tags": [ "AgentTesla" ], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1218 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639d15c86a10ffb74ea661be", "name": "Malware dataset 20221216 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-12-17T01:05:12.973000", "created": "2022-12-17T01:05:12.973000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1261 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639a72c7acc33a8b50ebf5e1", "name": "Malware dataset 20221214 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-12-15T01:05:11.242000", "created": "2022-12-15T01:05:11.242000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 14 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "1263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6397cfc5af705828596c2d8f", "name": "Malware dataset 20221212 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-12-13T01:05:09.458000", "created": "2022-12-13T01:05:09.458000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 18 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1265 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6390817d0ac5e94234e08512", "name": "AgentTesla malware indicators | 20221206", "description": "Indicators of compromise extracted from analyzed samples of AgentTesla malware family. This report only includes a subset of the samples analyzed on 20221206.", "modified": "2022-12-07T12:05:17.191000", "created": "2022-12-07T12:05:17.191000", "tags": [ "AgentTesla" ], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1270 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638fe6c7f766ddd4b09df407", "name": "Malware dataset 20221206 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-12-07T01:05:11.517000", "created": "2022-12-07T01:05:11.517000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 5 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1271 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6334ef426ba73af7978b6793", "name": "Malware dataset 20220928 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-09-29T01:05:06.656000", "created": "2022-09-29T01:05:06.656000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 11 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1340 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632e57c2bf1979bd19178f0a", "name": "Malware dataset 20220923 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-09-24T01:05:06.805000", "created": "2022-09-24T01:05:06.805000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1345 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632afdf1d3fccfba44e4aa0d", "name": "Remcos malware indicators | 20220920", "description": "Indicators of compromise extracted from analyzed samples of Remcos malware family. This report only includes a subset of the samples analyzed on 20220920.", "modified": "2022-09-21T12:05:05.080000", "created": "2022-09-21T12:05:05.080000", "tags": [ "Remcos" ], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 1, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 1115, "modified_text": "1347 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6323cbc23488d6bc7d8e6926", "name": "Malware dataset 20220915 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-09-16T01:05:06.231000", "created": "2022-09-16T01:05:06.231000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "hostname": 9 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63193fc2feb9246e7ec5c22a", "name": "Malware dataset 20220907 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-09-08T01:05:06.139000", "created": "2022-09-08T01:05:06.139000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "hostname": 34 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1361 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da92748fe6d45d9bb23f42", "name": "AgentTesla malware indicators | 20220721", "description": "Indicators of compromise extracted from analyzed samples of AgentTesla malware family. This report only includes a subset of the samples analyzed on 20220721.", "modified": "2022-07-22T12:05:07.999000", "created": "2022-07-22T12:05:07.999000", "tags": [ "AgentTesla" ], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 1 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1408 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d9f7c7402af385511fb5ee", "name": "Malware dataset 20220721 | Network", "description": "Domain and URL hits observed from a subset of analyzed samples.", "modified": "2022-07-22T01:05:11.528000", "created": "2022-07-22T01:05:11.528000", "tags": [], "references": [ "https://maldatabase.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "maldatabase", "id": "71669", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_71669/resized/80/avatar_d15b868454.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 27 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 1114, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "consolefoundry.date \u2022 http://consolefoundry.date", "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "Devices remotely connected, tracked , monitored", "192.229.211.108 [Tracking & Virus Network]", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "https://www.filescan.io/api/feed/reports", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "37.1.217.172 [scanning host]", "IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "*Andariel Backdoor Activity (Checkin)", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "afraid.org | evergreen.afraid.org", "Alerts: mouse_movement_detect", "https://www.virustotal.com/graph/gcfca29b8f52b4781b50acdf677cfdd96c19606d2c3304ba9a2c96caffb7db31b", "Alerts: cape_detected_threat", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "http://freedns.afraid.org/safety/?host=signin.ebay.com.ws.ebayisapi.dll.signin.usingssl.www.ebay.com.fr.am", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "target.dropboxbusiness.com", "https://www.fortiguard.com/encyclopedia/virus/10086605", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "me.com [Pegasus]", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "hasownproperty.call \u2022 fireeye.grhd.", "http://consolefoundry.date/one/gate.php \u2022 foundry.neconsside.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "KeyAuth Open-source Authentication System Domain (keyauth .win) in TLS SNI", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Yara : MS_Visual_Basic_6_0 ,", "PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Program:Win32/Uwamson.A!ml&threatId=250070", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "https://api.strem.io/api/addonCollectionGet%", "2012647\tDropbox.com Offsite File Backup in Use", "Interesting: i.circusslaves.com \u2022 linkupdateuser.circusslaves.com \u2022 https://rip.circusslaves.com/", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "https://www.virustotal.com/graph/gce53607a8779403cb61fb1fd424d648cdacbe19e4eab410ab9d84de3f57a1610", "Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "gitea.neconsside.com \u2022 http://f7194.vip/login", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*Themida_2xx. Oreans,Technologies", "a-poster.info", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "www.techcult.com", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "aohhpesayw.lawsonengineers.co.", "https://tulach.cc/", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "https://www.virustotal.com/graph/embed/gbc071fd91d6e4a67ac7421a2d0973d5297f478a817104d49ad9077cfee1e2eaa?theme=dark", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "https://www.virustotal.com/gui/file/d1aefc0f7a1a1ef63b959bf8fb0dbf960a6af3d88d3ee69b0e2f0f739326818c", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName", "https://maldatabase.com", "skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy", "https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "http://gmpg.org/xfn/11 [HTTrack]", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\t \twww.dropbox.com", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "Very Disappointing- foundry.neconsside.com \u2022 ftp.koldunmansurov.ru", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara: Detections ConventionEngine_Term_Users", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Crowdsourced Signa: Schedule system process by Joe Security", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Foundry stalking.", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "nr-data.net [Apple Private Data Collection]", "Interesting: demo.emaa.cl \u2022 wanndemo.de \u2022 songmeanings.net", "TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Flooder", "Trojan:win32/pariham.a", "Pegasus for ios - s0289", "Alf:trojan:win32/cassini_56a3061!ibt", "Pegasus - mob-s0005", "Zegost", "Win.ransomware.msilzilla-10014498-0", "Sabey", "Malwarex-gen", "Pegasus for android - mob-s0032", "Backdoor:win32/fynloski.a", "Quasar rat", "Trojandropper:win32/vb.il0", "Unix.trojan.mirai-6981169-0", "Win.trojan.dialer-266", "#lowfi:vbexpensiveloop", "Other malware", "Elf:ddos-y\\ [trj]", "#lowfi:hstr:msil/obfuscator", "Trojan", "Trojanspy:win32/nivdort", "Worm:win32/autorun.xxy!bit", "Formbook", "Agenttesla", "Tel:trojan:msil/agenttesla.vpa!mtb", "Trojandropper:win32/muldrop.v!mtb", "Icefog", "Trojan.upatre/waski", "Neshta", "Trojanproxy:win32/malynfits", "Worm:win32/lightmoon.h", "Cobalt strike", "Virus:dos/hellspawn", "Alf:jasyp:trojan:win32/ircbot!atmn", "Virus:win32/lywer", "Alf:ransom:win32/babax.sg!mtb", "#trojan:win32/uwamson.a!ml", "Et", "Alf:program:win32/webcompanion", "Backdoor:msil/remcos", "Pws:win32/vb.cu", "Trojan:win32/vflooder.a", "Worm:win32/mofksys.rnd!mtb", "Nids", "Win.malware.ursu-9856871-0", "Tulach", "Worm:win32/autorun", "Trojan:win32/antavmu", "Tofsee", "Kentuchy", "Appleservice", "Hallrender", "Worm:win32/autorun.b", "Slf:win64/cobpipe" ], "industries": [ "Government", "Healthcare", "Technology", "Civilian society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6a19a9e96af10a628d3410f6", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:53.153000", "created": "2026-05-29T14:59:53.153000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a19a9e76f31858c39e74d24", "name": "credit scoreblue Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPE", "description": "", "modified": "2026-05-29T14:59:51.891000", "created": "2026-05-29T14:59:51.891000", "tags": [ "swipp9-arin", "swipper", "swipp", "verizon", "cellcopart", "swipper", "ongoing", "get e sim", "as16276", "france unknown", "unknown", "as6167", "org verizon", "passive dns", "all scoreblue", "as8075", "cellco", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "cms", "express", "tsa b", "self", "server", "get esim", "wirelessdatanetwork", "netrange", "nethandle", "net174", "net1740000", "mcics", "orgid", "mcics address", "loudoun county", "android", "generic http", "exe upload", "windows nt", "outbound", "host", "malware beacon", "cape", "trojan", "copy", "write", "malware", "inbound", "impash", "post na", "search", "delete", "related pulses", "top source", "top destination", "source source", "filehash", "contentlength", "activity", "dns lookup", "flooder", "et", "aaaa", "nxdomain", "domain", "ipv4", "url analysis", "files", "malicious", "network", "historical ssl", "epsilon stealer", "traces aided", "dns intel", "remote job", "keeper", "snatch", "ransomware", "united states", "as8068", "entries", "mtb jan", "body", "x msedge", "scan endpoints", "trojandropper", "slf features", "file samples", "files matching", "date hash", "next", "win64", "win32", "copyright", "levelblue", "showing", "a domains", "as54113", "script domains", "script urls", "script script", "date", "meta", "window", "cookie", "trojan features", "worm", "show", "alf features", "hca", "target tsara brashears", "hostname", "expiration", "no expiration", "hca health", "eva120", "jody huffines", "jody alaska", "stephen r 'middleton'", "phone clone", "adversary in the middle", "known threat", "android attack", "web attack", "network", "dns", "florence co", "ddos", "google", "ip address", "ip range", "whois", "spam stats", "as6167 network", "cleantalk ip", "email abuse", "reports", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "suricata", "et intelligence", "known malicious ip", "spoof", "twitter", "x", "hackers" ], "references": [ "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks 174.215.26.0", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com", "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10", "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 , Trojan:Win32/Vflooder.B", "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2", "Alerts: cape_detected_threat", "http://www.govexec.com/dailyfed/0906/091806ol.htm", "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b", "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud", "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK", "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)", "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business", "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:", "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS", "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net", "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN", "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com", "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN", "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder.A", "display_name": "Trojan:Win32/Vflooder.A", "target": "/malware/Trojan:Win32/Vflooder.A" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Flooder", "display_name": "Flooder", "target": null }, { "id": "Trojan.Upatre/Waski", "display_name": "Trojan.Upatre/Waski", "target": null }, { "id": "SLF:Win64/CobPipe", "display_name": "SLF:Win64/CobPipe", "target": "/malware/SLF:Win64/CobPipe" }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Worm:Win32/AutoRun", "display_name": "Worm:Win32/AutoRun", "target": "/malware/Worm:Win32/AutoRun" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Trojan:Win32/Antavmu", "display_name": "Trojan:Win32/Antavmu", "target": "/malware/Trojan:Win32/Antavmu" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1502", "name": "Parent PID Spoofing", "display_name": "T1502 - Parent PID Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Healthcare", "Government", "Civilian Society" ], "TLP": "white", "cloned_from": "66d496e04d8fa0cc8d528941", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 33, "CIDR": 9, "URL": 221, "hostname": 390, "FileHash-SHA256": 4343, "domain": 177, "FileHash-MD5": 2244, "FileHash-SHA1": 2244, "CVE": 1 }, "indicator_count": 9662, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c60b402cd173d2b4aed0c6", "name": "pastebin", "description": "", "modified": "2026-04-26T04:18:29.754000", "created": "2026-03-27T04:44:48.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 223, "domain": 17, "hostname": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bc6425a5a36e17f26a46c0", "name": "ipify", "description": "", "modified": "2026-04-18T20:50:15.889000", "created": "2026-03-19T21:01:25.784000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 38, "FileHash-SHA256": 251, "URL": 38, "domain": 4, "hostname": 3 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b63553f456643631f3e4a4", "name": "pastebin", "description": "", "modified": "2026-04-14T04:40:38.996000", "created": "2026-03-15T04:28:03.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 55, "FileHash-SHA1": 52, "FileHash-SHA256": 414, "domain": 27, "hostname": 15 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a17cdcb0b2304208813be1", "name": "check", "description": "", "modified": "2026-01-10T04:26:04.027000", "created": "2025-08-17T06:55:24.949000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 84, "FileHash-SHA256": 326, "URL": 114, "domain": 3, "hostname": 13 }, "indicator_count": 598, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6852142c057d96009f4bf277", "name": "effects-removal", "description": "", "modified": "2025-12-30T01:36:58.417000", "created": "2025-06-18T01:19:40.701000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 296, "FileHash-MD5": 78, "FileHash-SHA1": 51, "FileHash-SHA256": 165, "domain": 128, "hostname": 70 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685a3ec8f4cd57fdd6dce0b7", "name": "remkos2", "description": "", "modified": "2025-12-22T00:24:52.539000", "created": "2025-06-24T05:59:36.238000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 70, "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 175, "URL": 185 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6878fa76ef0fc60c55547527", "name": "ipwhois", "description": "", "modified": "2025-12-19T23:39:48.219000", "created": "2025-07-17T13:28:22.909000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 216, "FileHash-MD5": 73, "FileHash-SHA1": 76, "FileHash-SHA256": 395, "domain": 23, "hostname": 21 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "keyauth.win", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "keyauth.win", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205673.9003608 }