{ "type": "Domain", "indicator": "kolbydanner.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/kolbydanner.com", "alexa": "http://www.alexa.com/siteinfo/kolbydanner.com", "indicator": "kolbydanner.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3461889007, "indicator": "kolbydanner.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "Credit Q.Vashti, Title [.Net Obfuscater] clone", "description": "", "modified": "2026-04-25T07:06:03.966000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69544c73467a9c3858556698", "name": "Mira Malware Drive By Compromise Google.com search engine | Microsoft | Apple", "description": "Microsoft Mira Malware Drive By Compromise Google.com.\n Device infected with MyDoom zombie maker. \nEstablished user location, screen captures, corrupted Apple device via Google search engine browser redirect. Attack began 12.30.2025 past midnight. Threat actor powered on cameras, microphones, and preformed their hacker intentions. #stateofcolorado", "modified": "2026-01-29T21:02:54.448000", "created": "2025-12-30T22:04:35.565000", "tags": [ "content", "kb body", "p3p cp", "date tue", "gmt server", "html info", "12.30.2025", "urls", "url add", "http", "ip address", "related nids", "files location", "united", "flag united", "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "ripe ncc", "ripe network", "abuse contact", "orgid", "address", "orgabuseref", "postalcode", "ripe", "email", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ssl certificate", "execution", "google llc", "ascii text", "mitre att", "hybrid", "general", "local", "path", "click", "strings", "data upload", "extraction", "ta0004", "evasion ta0005", "injection t1055", "t1055", "col ta0011", "l t1071", "encrypted ch", "t1573", "present nov", "present oct", "certificate", "present dec", "aaaa", "search", "servers", "record value", "emails", "title", "leveidiuelabs", "include", "review", "exclude data", "suggested ogs", "find s", "command decode", "development att", "initial access", "t1189 driveby", "html", "execution att", "href", "size", "pattern match", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "malware", "trojan", "mira malware", "push", "dynamicloader", "windows nt", "msie", "wow64", "slcc2", "media center", "yara rule", "program", "runtime error", "medium", "python", "win64", "unknown", "guard", "accept", "write", "launcher", "updater", "smartassembly", "delphi", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "copy", "next", "mydoom checkin", "win32mydoom dec", "name servers", "creation date", "passive dns", "domain", "expiration date", "hostname", "date", "google chrome", "screen capture", "locate human", "target", "black hat", "apple", "microsoft", "google", "stateofcolorado", "christopher ahmann", "brian sabey" ], "references": [ "Google.com sorry not sorry index | https://www.google.com/search", "cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025", "redirector.gvt1.com", "Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc", "microsoft-falcon.net", "hattchett.ddns.net", "Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx", "XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv", "https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary", "x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs", "https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co", "https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x", "Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware", "Yara Detections SUSP_Imphash_Mar23_2", "https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com", "userlocation-prod.ingress.kors.microsoft-falcon.net ->", "\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->", "To get future Google Chrome updates, you'll need" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Mira", "display_name": "Trojan:Win32/Mira", "target": "/malware/Trojan:Win32/Mira" }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Mydoom Checkin", "display_name": "Mydoom Checkin", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1939, "hostname": 1205, "URL": 3310, "domain": 432, "FileHash-MD5": 396, "CIDR": 3, "email": 16, "FileHash-SHA1": 373, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 7688, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c800ef879d19160279c628", "name": "Phishing Campaign", "description": "List of", "modified": "2025-04-04T07:04:28.709000", "created": "2025-03-05T07:44:47.276000", "tags": [ "Phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sandnelis", "id": "311058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 286, "hostname": 86, "FileHash-SHA256": 241, "domain": 437 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659f8c2ff1f9c7a3e3605199", "name": "ET MALWARE LokiBot User (Charon/Inferno) Worm:Win32/Benjamin", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/\n \nhttps://www.hybrid-analysis.com/sample/3e6f749f6f10dbe471cd14b6441135cdea582f429c523b20d149b335d5b192d2", "modified": "2024-02-10T06:03:44.899000", "created": "2024-01-11T06:35:27.311000", "tags": [ "name verdict", "falcon sandbox", "getprocaddress", "windir", "path", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "pattern match", "win64", "date", "open", "factory", "hybrid", "general", "config" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 1371, "hostname": 165, "SSLCertFingerprint": 2, "URL": 653, "domain": 693, "email": 1 }, "indicator_count": 2895, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098f7a0c84c2c55585e87", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:27.118000", "created": "2023-12-06T15:53:27.118000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098f2c33d291538754bc7", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:22.011000", "created": "2023-12-06T15:53:22.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "914 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a978cf39ec3cdc99278cc", "name": "RedLine", "description": "", "modified": "2023-12-02T02:33:48.848000", "created": "2023-12-02T02:33:48.848000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423a941aa6527fbbe40a53", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "914 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6545a281ce7426288033f81e", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-04T01:46:41.933000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65423a941aa6527fbbe40a53", "name": "RedLine", "description": "CNC server.telegrafix.com. Brute force passwords using SSH on server RELAY\nTargeted individual, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:46:28.418000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65423978ca5e5c9931b586a5", "name": "CNC server.telegrafix.com", "description": "Brute force passwords using SSH on server RELAY\nTargeted individual, adult content, malvertizing, keylogging, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:41:44.861000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "915 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641e0e41b1efe6e622d75902", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "email confirmation link sent for blockchain wallet on iphone", "modified": "2023-04-23T19:00:53.967000", "created": "2023-03-24T20:55:29.514000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "chromeua", "dropped file", "ansi", "optout", "license", "runtime data", "drmedgeua", "localappdata", "edgeua", "optin", "error", "span", "template", "unknown", "class", "window", "legend", "mexico", "hybrid", "suspicious", "general", "malicious", "close", "click", "date", "hosts", "express", "strings", "format", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "Full URL from email", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2201, "hostname": 933, "domain": 279, "FileHash-SHA256": 1027, "email": 2, "FileHash-MD5": 56, "FileHash-SHA1": 51 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641e0e3da4fbafac633c0124", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "email confirmation link sent for blockchain wallet on iphone", "modified": "2023-04-23T19:00:53.967000", "created": "2023-03-24T20:55:25.579000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "chromeua", "dropped file", "ansi", "optout", "license", "runtime data", "drmedgeua", "localappdata", "edgeua", "optin", "error", "span", "template", "unknown", "class", "window", "legend", "mexico", "hybrid", "suspicious", "general", "malicious", "close", "click", "date", "hosts", "express", "strings", "format", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "Full URL from email", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2201, "hostname": 933, "domain": 279, "FileHash-SHA256": 1027, "email": 2, "FileHash-MD5": 56, "FileHash-SHA1": 51 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6292301b8d7a09ec691c5a7d", "name": "NewDom-3-20220528", "description": "ICANN-Dom", "modified": "2022-07-12T00:05:58.089000", "created": "2022-05-28T14:22:19.618000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "Google.com sorry not sorry index | https://www.google.com/search", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "(legitimate services will remain up-and-running usually) High | ID dead_host", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "https://www.colocrossing.com/", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc", "hattchett.ddns.net", "redirector.gvt1.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://twitter.com/PORNO_SEXYBABES", "\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025", "http://watchhers.net/index.php", "This is hard to comprehend or put into indelible words.", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "To get future Google Chrome updates, you'll need", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "Yara Detections is__elf", "https://hybrid-analysis.com/sample/b324856ed3acdd48a6d7583e9ae0f36a110c28e6b1b185c231129dd4f88049af/640f60d8e122e6ac3a0f1d7e", "microsoft-falcon.net", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv", "Yara Detections SUSP_Imphash_Mar23_2", "https://www.milehighmedia.com/legal/2257", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "userlocation-prod.ingress.kors.microsoft-falcon.net ->", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com", "https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x", "104.21.51.140, 172.67.181.41", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "https://login.blockchain.com/?#%2Fverify-email%2FLIhC1RPA4qIlUzBPvep8xn5FkBPW4XQlsbo7MBIxQcqfNxPUykgf2GINwzEeUKYkJMV6FJbewOlqaND96%2BR7de%2Bja2BIbLW6E6ZF2zbr05wOyVqAHx7gtq6Y4bhqFinCB3PIOH%2BlVxnfVwrzIbISyMnp7mdw%2FQU5LKoGTTnPq4v1W1uPN7iQcBlIhnNQ6QwO%3Fcontext%3DSETTINGS'", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Full URL from email", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://www.red-gate.com/products/smartassembly", "Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Unix.trojan.darknexus-7679166-0", "Upatre", "Other malware", "Mydoom checkin", "Redline", "Mirai", "Unix.dropper.mirai-7135870-0", "Hacktool:msil/boilod.c!bit", "Trojan:win32/mira", "Elf:mirai-gh\\ [trj]", "Cve-2023-22518" ], "industries": [ "Healthcare", "Technology", "Insurance", "Civil society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "69aa41b0d714318bf8937184", "name": "Credit Q.Vashti, Title [.Net Obfuscater] clone", "description": "", "modified": "2026-04-25T07:06:03.966000", "created": "2026-03-06T02:53:36.216000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": "6952d4fc6910b0b866746d8a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1969, "URL": 5700, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10779, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6958780c8479a9d69920c3d8", "name": "Telnet - Mirai \u2022 Dark Nexus BusyBox iOS Attack", "description": "There\u2019s enough here to cause an outage. I will stop here. Illegal activities to silence victim and block her from financial settlement award for permanent injuries under workers compensation in a premise and healthcare worker assault scenario. Attorneys estimated her case to be above $100 million but knew she\u2019d be tampered with. Mark Montano MD forewarned her but is culpable. Still attacking family of victim.\n[ True- otx auto generated: Adversaries may be able to gain access to a victim's network through a drive-by attack, as well as using a short-term SSL certificate, in order to target the victim.] |||\nPositive:\nT1140 - Deobfuscate/Decode Files or Information\nSuspicious IP Address\n104.21.51.140, 172.67.181.41\nLocation United States ASN\nModif AS13335 cloudflare\nAutomate Nameservers:\nns1.colocrossing.com.", "modified": "2026-02-02T01:02:46.327000", "created": "2026-01-03T01:59:40.530000", "tags": [ "united", "moved", "title", "passive dns", "ipv4 add", "urls", "files", "hosting", "reverse dns", "location united", "hash avast", "avg clamav", "msdefender mar", "read c", "create c", "medium", "search", "memcommit", "high", "checks", "windows", "execution", "dock", "write", "persistence", "capture", "local", "ref b", "wed may", "backdoor", "mtb aug", "next associated", "mtb dec", "twitter", "smoke loader", "malware", "virtool", "hacktool", "data upload", "present dec", "mtb apr", "win32", "trojan", "worm", "lowfi", "cybota", "expiration date", "name servers", "ipv4", "url analysis", "port", "destination", "telnet login", "bad login", "gpl telnet", "suspicious path", "busybox", "tcp syn", "et telnet", "path", "mirai", "filehash", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "america", "ck id", "name tactics", "suspicious", "informative", "learn", "t1179 hooking", "installs", "t1035 service", "adversaries", "msie", "windows nt", "slcc2", "media center", "y013", "flag", "span", "accept", "core", "february", "hybrid", "malicious", "general", "click", "strings", "roboto", "next", "usa windows", "finished", "queueprogress", "timestamp input", "threat level", "october", "september", "hwp support", "fresh", "win64", "khtml", "gecko", "brand", "microsoft edge", "programfiles", "comspec", "model", "iframe", "form", "listeners", "initial access", "t1590 gather", "victim network", "ssl certificate", "quasi government", "jeffrey reimer", "palantir", "Regis university", "otx hp", "apple", "pegasus", "h5 data center", "florence colorado", "brian sabey", "target : Tsara Brasheaers", "aig", "industry and commerce", "united states", "State of Colorado.", "date", "status", "domain", "hostname add", "pulse pulses", "files ip", "address", "url https", "url http", "hostname", "show", "type indicator", "source hostname", "entries", "Prometheus Intelligence Technology", "pulse submit", "america flag", "body", "dynamicloader", "microsoft azure", "tls issuing", "named pipe", "json", "ascii text", "lredmond", "Apple", "Telnet", "BusyBox", "Pegasus", "Colorado State Fixer: Christopher P. Ahmann", "Hijacker: Brian Sabey", "For: Concentra", "Protecting Assaulter: Jeffrey Reimer", "For: AIG", "For Industry and Commerce", "For: Quasi Government", "For: Workers Compensation", "Authorities", "Law Enforcement Dark", "Silencing", "Tampering with a Victim", "Meta", "Palantir", "Google", "Bing", "Microsoft", "ColoCrossing", "Associates", "hit men" ], "references": [ "ET Telnet | https://www.colocrossing.com | velocity servers", "https://www.endgamesystems.com/\t This is not a game. This is about people\u2019s lives", "TELNET SUSPICIOUS Path to BusyBox\", TELNET login failed\", is__elf \u007fELF dead_host", "Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)", "(legitimate services will remain up-and-running usually) High | ID dead_host", "ELF:Mirai-GH\\ [Trj] , Unix.Trojan.DarkNexus-7679166-0", "IDS Detections SUSPICIOUS Path to BusyBox TELNET login failed Bad Login", "Yara Detections is__elf", "Alerts dead_host network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , ELFHighEntropy , elf_empty_sections", "http://appleid.apple.com.msg206.site/ http://www.icloud.com.msg206.site/ https://appleid.apple.com.msg206.site/", "https://colocrossing.com/ \u2022 https://www.colocrossing.com/colocation\t l", "https://prometheussteakhouse.lupi.delivery/ Thanks! I\u2019m heavy into Picinha. 2 Brazilian roasts please!", "https://www.colocrossing.com/", "(TLI did you do her that dirty?) Why\u2019SCS\u2019? Pure shame on you.", "In all seriousness. The severity of injuries and outcomes 1 victim had is aligned cyber attacks by Q.Gov", "104.21.51.140, 172.67.181.41", "Detections Win.Packed.ImminentMonitorRAT-9892275-0 , HackTool:MSIL/Boilod.C!bit", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot", "stealth_file cape_detected_threat injection_process_hollowing antiav_detectfile injection_runpe", "Alerts: cape_extracted_content infostealer_cookies recon_fingerprint powershell_download", "Alerts: dynamic_function_loading ipc_namedpipe createtoolhelp32snapshot_module_enumeration", "IP\u2019s Contacted: 142.250.147.101 88.221.104.56 13.33.141.29 35.186.249.72 151.101.1.192", "IP\u2019s Contacted 178.249.97.99 178.249.97.98 178.249.97.23 84.53.172.74 88.221.104.82", "Domains Contacted: accounts.google.com chrome.cloudflare-dns.com clients2.googleusercontent.com", "This is hard to comprehend or put into indelible words." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.DarkNexus-7679166-0", "display_name": "Unix.Trojan.DarkNexus-7679166-0", "target": null }, { "id": "HackTool:MSIL/Boilod.C!bit", "display_name": "HackTool:MSIL/Boilod.C!bit", "target": "/malware/HackTool:MSIL/Boilod.C!bit" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Technology", "Healthcare", "Insurance", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6390, "domain": 723, "hostname": 1978, "FileHash-SHA256": 1912, "FileHash-MD5": 410, "FileHash-SHA1": 306, "email": 3, "SSLCertFingerprint": 28, "CVE": 3 }, "indicator_count": 11753, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69544c73467a9c3858556698", "name": "Mira Malware Drive By Compromise Google.com search engine | Microsoft | Apple", "description": "Microsoft Mira Malware Drive By Compromise Google.com.\n Device infected with MyDoom zombie maker. \nEstablished user location, screen captures, corrupted Apple device via Google search engine browser redirect. Attack began 12.30.2025 past midnight. Threat actor powered on cameras, microphones, and preformed their hacker intentions. #stateofcolorado", "modified": "2026-01-29T21:02:54.448000", "created": "2025-12-30T22:04:35.565000", "tags": [ "content", "kb body", "p3p cp", "date tue", "gmt server", "html info", "12.30.2025", "urls", "url add", "http", "ip address", "related nids", "files location", "united", "flag united", "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "ripe ncc", "ripe network", "abuse contact", "orgid", "address", "orgabuseref", "postalcode", "ripe", "email", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "ssl certificate", "execution", "google llc", "ascii text", "mitre att", "hybrid", "general", "local", "path", "click", "strings", "data upload", "extraction", "ta0004", "evasion ta0005", "injection t1055", "t1055", "col ta0011", "l t1071", "encrypted ch", "t1573", "present nov", "present oct", "certificate", "present dec", "aaaa", "search", "servers", "record value", "emails", "title", "leveidiuelabs", "include", "review", "exclude data", "suggested ogs", "find s", "command decode", "development att", "initial access", "t1189 driveby", "html", "execution att", "href", "size", "pattern match", "filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "malware", "trojan", "mira malware", "push", "dynamicloader", "windows nt", "msie", "wow64", "slcc2", "media center", "yara rule", "program", "runtime error", "medium", "python", "win64", "unknown", "guard", "accept", "write", "launcher", "updater", "smartassembly", "delphi", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "copy", "next", "mydoom checkin", "win32mydoom dec", "name servers", "creation date", "passive dns", "domain", "expiration date", "hostname", "date", "google chrome", "screen capture", "locate human", "target", "black hat", "apple", "microsoft", "google", "stateofcolorado", "christopher ahmann", "brian sabey" ], "references": [ "Google.com sorry not sorry index | https://www.google.com/search", "cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025", "redirector.gvt1.com", "Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc", "microsoft-falcon.net", "hattchett.ddns.net", "Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx", "XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv", "https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary", "x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs", "https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co", "https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x", "Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware", "Yara Detections SUSP_Imphash_Mar23_2", "https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com", "userlocation-prod.ingress.kors.microsoft-falcon.net ->", "\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->", "To get future Google Chrome updates, you'll need" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Mira", "display_name": "Trojan:Win32/Mira", "target": "/malware/Trojan:Win32/Mira" }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "Mydoom Checkin", "display_name": "Mydoom Checkin", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1939, "hostname": 1205, "URL": 3310, "domain": 432, "FileHash-MD5": 396, "CIDR": 3, "email": 16, "FileHash-SHA1": 373, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 7688, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6952d4fc6910b0b866746d8a", "name": ".NET Obfuscator, Error Reporting, DLL Merging | SmartAssembly | Spycloud", "description": "*Mirai | Currently being used maliciously. Mirai botnet work in place. Obfuscation, call redirection, evasion , chatbots, spyware , cal retrieval , typosquating , and other tactics used against victim. Red hats being unethical is expected.. This team is attacking in this instance. Screen Capture 24/7. Malicious media +++ from Englewood, Co. \n\nWhen used ethically SmartAssembly protects your code and Intellectual Property with powerful obfuscation features, and provides error reports when your application crashes in the wild, as well as a range of other tools for database management and data management.\n#palantir #foundry #denver #englewood #colorado #spycloud #mirai #botnet", "modified": "2026-01-28T18:03:54.589000", "created": "2025-12-29T19:22:36.103000", "tags": [ "no expiration", "domain", "name", "control flow", "dlls", "method parent", "declarative", "ms build", "core", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "dock", "write", "execution", "capture", "endgame", "united", "moved", "ip address", "record value", "gate software", "newnham house", "expiration date", "urls", "url add", "http", "related nids", "files location", "flag united", "present aug", "present sep", "present nov", "present oct", "name servers", "emails", "present dec", "meta", "passive dns", "next associated", "ipv4", "url analysis", "files", "cookie", "subscribe", "unsubscribe", "s paris", "englewood", "state", "skip", "espaol", "summary", "filing history", "ireland", "title", "united states", "certificate", "colorado", "ipv4 add", "america flag", "showing", "pulse submit", "size", "pattern match", "mitre att", "ck id", "path", "hybrid", "general", "local", "iframe", "click", "strings", "cece", "mult", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "t1590 gather", "victim network", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "sha1", "sha256", "njmk", "kwruymy", "mime", "submitted", "process details", "calls", "apis", "reads", "defense evasion", "model", "getprocaddress", "show technique", "ck matrix", "access type", "value", "api call", "open", "august", "format", "typeof symbol", "typeof s", "typeof c", "function", "symbol", "comenabled", "image path", "ndex", "ndroleextdll", "f0f0f0", "ff4b55", "stop", "span", "show process", "binary file", "file", "network traffic", "encrypt", "date", "found", "ssl certificate", "creation date", "hostname add", "pulse pulses", "files ip", "address domain", "data upload", "extraction", "ge6 mira", "failed", "ascii text", "development att", "hostname", "files domain", "files related", "pulses otx", "pulses", "unknown aaaa", "unknown ns", "united states", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "a domains", "search", "germany unknown", "win32", "lowfi", "chrome", "susp", "trojan", "backdoor", "twitter", "virtool", "worm", "exploit", "trojandropper", "win32upatre dec", "mtb dec", "reverse dns", "body", "location united", "asn as14618", "less whois", "files show", "date hash", "avast avg", "initial access", "javascript", "root", "enterprise", "form", "desktop", "command decode", "suricata ipv4", "spycloud", "robots", "bots", "chatbot", "bot network", "spy", "mixb", "a2fryx", "therahand", "typosquating" ], "references": [ "https://www.red-gate.com/products/smartassembly", "spycloud.com \u2022 content.spycloud.com \u2022 email.spycloud.com\t hostname\tengage.spycloud.com \u2022 hello.spycloud.com \u2022portal.spycloud.com \u2022 https://email.spycloud", "https://email.spycloud.com/NzEzLVdJUC03MzcAAAGe67eM-W3qxAlVkEvZwfw1dWuwRdm0zVU5aMyOzUe2IkxAY3hDe8RfT27HnjgkvTk-uqIy6K0=", "https://spycloud.com/solutions/\t\u2022 104.18.26.108 ELF:Mirai-GH\\ [Trj] \u2022 Unix.Dropper.Mirai-7135870-0", "dasima-containers.palantirfoundry.com \u2022 blitzrobots.com", "https://blog.endgames.com/ \u2022 wg41xm05b3.endgamesystems.com", "https://www.coloradosos.gov/biz/BusinessEntityDetail.do?quitButtonDestination=BusinessEntityResults&nameTyp=ENT&masterFileId=20221473927&entityId2=20221473927&fileId=20251525819&srchTyp=ENTITY", "www.onyx-ware.com \u2022 http://pages.endgames.com/ \u2022 http://www.endgamesystems.com/", "https://hybrid-analysis.com/sample/9a1e0d38b691f1d22a92cff65ec0439b428170ac39a4493c7ecb06d5585f56a3/68a4adea30f7fafee90aefd3", "Malicious: http://developers.cloudfiare.com/support/troubleshooting/http-status-", "Typosquating: developers.cloudfiare.com \u2022 cloudfiare.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unix.Dropper.Mirai-7135870-0", "display_name": "Unix.Dropper.Mirai-7135870-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 341, "FileHash-SHA1": 343, "FileHash-SHA256": 1332, "domain": 1062, "hostname": 1967, "URL": 5699, "email": 10, "SSLCertFingerprint": 21, "CVE": 1 }, "indicator_count": 10776, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692f23547b713b128b9c8156", "name": "Indicator Deletion Attack | Chris P. Ahmann Esq still utilizes parking crews to execute cyber attacks", "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]", "modified": "2026-01-01T17:01:48.163000", "created": "2025-12-02T17:35:15.203000", "tags": [ "data upload", "extraction", "failed", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "development att", "united", "flag", "poland poland", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "mitre att", "ck matrix", "pattern match", "ascii text", "show process", "network traffic", "t1057", "general", "local", "path", "encrypt", "hosts ip", "details", "ssl certificate", "sha256", "sha1", "size", "unicode text", "crlf", "utf8", "lf line", "server", "command decode", "markmonitor", "amazon", "ltd dba", "com laude", "organization", "click", "show technique", "brand", "microsoft edge", "windows nt", "win64", "khtml", "gecko", "submitted", "prefetch1", "name server", "misc attack", "et tor", "known tor", "relayrouter", "contacted hosts", "google", "pornhub", "ip address", "t1480 execution", "file defense", "passive dns", "related nids", "urls", "files location", "flag united" ], "references": [ "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev", "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com , etc Exploited", "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl", "pl.wikipedia.org \u2022 fontawesome.io \u2022 opensource.org \u2022 videojet.com", "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net", "https://www.milehighmedia.com/legal/2257", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6", "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs", "http://watchhers.net/index.php", "everesttech.net \u2022 aws.amazon.com \u2022 cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1358, "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 1682, "URL": 2497, "CVE": 2, "domain": 400, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 6150, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c800ef879d19160279c628", "name": "Phishing Campaign", "description": "List of", "modified": "2025-04-04T07:04:28.709000", "created": "2025-03-05T07:44:47.276000", "tags": [ "Phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sandnelis", "id": "311058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 286, "hostname": 86, "FileHash-SHA256": 241, "domain": 437 }, "indicator_count": 1050, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659f8c2ff1f9c7a3e3605199", "name": "ET MALWARE LokiBot User (Charon/Inferno) Worm:Win32/Benjamin", "description": "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/\n \nhttps://www.hybrid-analysis.com/sample/3e6f749f6f10dbe471cd14b6441135cdea582f429c523b20d149b335d5b192d2", "modified": "2024-02-10T06:03:44.899000", "created": "2024-01-11T06:35:27.311000", "tags": [ "name verdict", "falcon sandbox", "getprocaddress", "windir", "path", "mitre att", "ck id", "show technique", "ck matrix", "indicator", "file", "pattern match", "win64", "date", "open", "factory", "hybrid", "general", "config" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 1371, "hostname": 165, "SSLCertFingerprint": 2, "URL": 653, "domain": 693, "email": 1 }, "indicator_count": 2895, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098f7a0c84c2c55585e87", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:27.118000", "created": "2023-12-06T15:53:27.118000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098f2c33d291538754bc7", "name": "https://login.blockchain.com/?#%2Fverify-email ->", "description": "", "modified": "2023-12-06T15:53:22.011000", "created": "2023-12-06T15:53:22.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 279, "FileHash-SHA256": 1027, "hostname": 933, "URL": 2201, "FileHash-MD5": 56, "FileHash-SHA1": 51, "email": 2 }, "indicator_count": 4549, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "914 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "kolbydanner.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "kolbydanner.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780507246.7635 }