{ "type": "Domain", "indicator": "kwidly.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/kwidly.com", "alexa": "http://www.alexa.com/siteinfo/kwidly.com", "indicator": "kwidly.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3242072431, "indicator": "kwidly.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "6a0e66c722cb06d1d91d9ac0", "name": "Credit scoreblue [OTX.AlienVault.com/LevelBlue in Ebury Botnet]", "description": "", "modified": "2026-05-21T01:58:31.408000", "created": "2026-05-21T01:58:31.408000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e66c68264d46dc1fca629", "name": "Credit scoreblue [OTX.AlienVault.com/LevelBlue in Ebury Botnet]", "description": "", "modified": "2026-05-21T01:58:30.289000", "created": "2026-05-21T01:58:30.289000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687439c2109c2b61e7afc717", "name": "OTX.AlienVault (2024) in Ebury Botnet-19/5/2024", "description": "", "modified": "2025-07-13T22:57:06.213000", "created": "2025-07-13T22:57:06.213000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "322 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6674e062afd192ab545b1a04", "name": "Lazarus Group", "description": "Everyone? Why Brashears? You are all so brilliant! It's not to surprising. I acted on behalf of target to follow your report. I am not anywhere close to ever being as clever as thee. Are you hiring snoops? This took form in October 2013.\nThen a follower. Next hell week-years. Just because you can. Well toasts yourselves. It must be amazing to be able to live without the fear of consequences, with knowledge that you're probably right. You know the odds or even better, the government pays you to do it!\nI am truly fascinated as well as humbled by your abilities. You made her so very sad. If that's what you need. Really rethink you choices, it's so otherworldly; again making you all so \nbright. She's met some of you, spoken to some of you, shopped alongside, was surveilled, viewed. More popular than the Kardashian on your rogue channels. Now THAT'S Reality TV. Bieber & Tori Kelley got her song chops, Sony was hacked. Okay. I'm so impressed, Hire me.\n\nsmph. I don't get it. No one does. \nAll tags auto generated.", "modified": "2024-09-05T06:06:53.933000", "created": "2024-06-21T02:07:30.790000", "tags": [ "scripts", "redline stealer", "lazarus", "core", "no problems", "html internet", "html document", "ascii text", "language", "merkd1904", "code", "c++" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "204.79.197.200", "display_name": "204.79.197.200", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6840, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 50, "FileHash-SHA1": 43, "FileHash-SHA256": 850, "URL": 949, "domain": 141, "hostname": 410 }, "indicator_count": 2445, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666eeab2d7cd73b992756b36", "name": "OTX.AlienVault.com/LevelBlue in Ebury Botnet-19-5-2024.xlsx", "description": "Ebury Botnet-19-5-2024.xlsx. is affected by and impacting OTX.AlienVault.com-LevelBlue/Labs users. Based on limited information found online, Ebury is an OpenSSH backdoor and credential stealer. It is used to deploy additional malware. Based on online reports; in mid -May 2024 in was found that Ebury targeted/infected ISP's and up to 400,000 Linux, FreeBSD, and OpenBSD servers. Gains remote access, steals cryptocurrency wallets, credentials, and credit card details and much more I don't know about.", "modified": "2024-07-16T11:02:32.735000", "created": "2024-06-16T13:37:54.283000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e9b2408fd9557692402b03", "name": "Why are OTX pulses modified and by whom when it's not the user?", "description": "There are several OTC accounts that are experiencing unauthorized logins. Users have a common theme, keen awareness, learning from experiences, Apple , state, gov personal accounts of being hacked, have personal network/router , phone or relatives and.or associated (civil society) experiencing cyber attacks.Indicators are being removed at record pace. Some pulses have been deleted altogether. Threat actors are logging in as user by exploiting or creating a vulnerability on user device or login. From what I've learned , there is a history on user device. I hope I'm still allowed to use platform after this. I noticed some accounts were submitting and modifying 24/7. A user in a TH group forum discussed bulk deletion, non-public modified and deleted Pulses.", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-07T12:25:36.098000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eada25525805ad74c32b54", "name": "(Cloned from OTX user) OTX pulses modified and deleted by ???", "description": "", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-08T09:28:05.923000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "65e9b2408fd9557692402b03", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cb4768b06f4da2fba5959b", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:44.270000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cb476d0566c2d07e474df5", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.140000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cb476d935dd560b4a3e938", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:49.380000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cb4772c3d3ad1f7accc98a", "name": "Ryuk Ransomware - workers.dev | https://house.mo.gov", "description": "Ryuk is ransomware version attributed to the hacker group WIZARD SPIDER that has compromised governments, academia, healthcare, manufacturing, and technology organizations.\n\nInterestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means \u201cgift of god.\u201d It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.", "modified": "2024-03-14T09:04:37.097000", "created": "2024-02-13T10:41:53.179000", "tags": [ "contacted", "ssl certificate", "contacted urls", "whois record", "whois whois", "relacionada", "execution", "p2404", "kgs0", "kls0", "lockbit", "lolkek", "emotet", "phishing", "ursnif", "malware", "core", "ryuk ransomware", "qakbot", "makop", "hacktool", "chaos", "ransomexx", "temp", "localappdata", "pattern match", "ascii text", "json data", "united", "indicator", "prefetch8", "observed email", "unicode text", "date", "hybrid", "win64", "general", "click", "strings", "tsara brashears", "suspicious", "falcon", "name verdict", "reinsurance", "scan endpoints", "all octoseek", "domain", "pulse pulses", "passive dns", "urls", "files", "ip address", "location united", "asn as13335", "title", "gmt server", "user agent", "443 ma2592000", "hostname", "encrypt", "script urls", "t matrix", "dch v", "meta", "trang ch", "body", "status", "search", "creation date", "record value", "domain name", "litespeed", "certificate", "speed", "next", "unknown", "ipv4", "reverse dns", "name servers", "expiration date", "showing", "pulse submit", "gandi sas", "moved", "emails", "servers", "error", "russia unknown", "as31483", "as12768", "as30943", "united kingdom", "as208722 yandex", "cname", "spyware", "tracking", "login" ], "references": [ "workers.dev [extraction \u2022 GET request attack]", "ddos.dnsnb8.net [command_and_control]", "www.supernetforme.com [command_and_control]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "CVE: CVE-2023-23397", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://twitter.com/PORNO_SEXYBABES", "sex-ukraine.net", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "nexus.b2btest.ertelecom.ru", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "http://micrologin.ogspy.net/track/dhl-information-contact.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk Ransomware", "display_name": "Ryuk Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 125, "FileHash-SHA256": 4862, "hostname": 3571, "URL": 10597, "CVE": 3, "domain": 3169, "email": 7 }, "indicator_count": 22461, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708172b5b5810d62645bfe", "name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts", "description": "", "modified": "2023-12-06T14:13:06.127000", "created": "2023-12-06T14:13:06.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 516, "FileHash-SHA256": 340, "URL": 713, "email": 3, "domain": 356, "FileHash-MD5": 119, "FileHash-SHA1": 59, "SSLCertFingerprint": 4 }, "indicator_count": 2110, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622c42836d7c741d4156fc83", "name": "http://adwcleaner.malwarebytes.com/ and cloudfront hosts", "description": "T1553", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T06:49:39.036000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "tcomparer", "tlist", "tarray", "path", "icomparer", "tcomparison", "tenumerator", "suspicious", "date", "delphi", "error", "hybrid", "close", "click", "hosts", "stack", "win32", "malicious", "general", "pecompact", "strings", "code", "data", "decrypted ssl", "threat level", "windows nt", "pcap", "pcap processing", "sha256", "report domain", "accept", "core", "false", "local", "mozilla" ], "references": [ "https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d", "https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 516, "URL": 713, "FileHash-SHA256": 340, "domain": 356, "FileHash-MD5": 119, "FileHash-SHA1": 59, "email": 3, "SSLCertFingerprint": 4 }, "indicator_count": 2110, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1512 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "sex-ukraine.net", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "http://micrologin.ogspy.net/track/dhl-information-contact.html", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "server-18-161-6-16.hio52.r.cloudfront.net", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "0-129-112027imap-intranet-pv-175-166.matomo.cloud", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 virus network \u2022 Apple data collection ]", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "I really have no idea what's going on or how safe this platform is.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption \u2022 unlocker]", "accessoire-telephones.fr \u2022 bks-tv.ru [telecom] \u2022 coltel.ru [telecom] \u2022 ceptelefondata.com.tr [data collection \u2022 USA] ts-astra.ru [telecom] wifi.ru", "https://hybrid-analysis.com/sample/ac15b6c5ede04e496b08523bf7deac3694dc3cd34474a9d4e57e23255f56b647/6222a011962dca32330a5c2d", "https://hybrid-analysis.com/sample/246eb0388eff22439e0b48cd3d5ffa8c434559c52638ed166d8b96b2b8fea7ac/61f4919bf315615dd65ca107", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "workers.dev [extraction \u2022 GET request attack]", "nexus.b2btest.ertelecom.ru", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "ddos.dnsnb8.net [command_and_control]", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "www.supernetforme.com [command_and_control]", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "Tracking: trackyouremails.com \u2022 https://adservice.google.com.uy/clk", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "CVE: CVE-2023-23397", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://twitter.com/PORNO_SEXYBABES", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing \u2022 python]", "feedercontroller.webcrawlingeap-prod-co4.binginternal.com", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg \u2022\t humani-teens.com", "https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network \u2022 Data collection \u2022 phishing]", "https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Win32:genmalicious-kag\\ [trj]", "Qakbot", "Sabey", "Trojan:win32/delflob.a.dll", "Win32:dh-a\\ [heur]", "Redline stealer", "Hacktool", "Win32:renos-ck", "Lolkek", "Trojan:win32/dorkbot.du", "Emotet", "Win32:delf-iwg\\ [trj]", "204.79.197.200", "Makop", "Lockbit", "Win.downloader.32972-1", "Ryuk ransomware", "Win.trojan.agent-1286703", "Hallgrand", "Ursnif", "Ransomexx", "Hallrender", "Malware", "Win32:malware-gen" ], "industries": [ "Technology", "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "6a0e66c722cb06d1d91d9ac0", "name": "Credit scoreblue [OTX.AlienVault.com/LevelBlue in Ebury Botnet]", "description": "", "modified": "2026-05-21T01:58:31.408000", "created": "2026-05-21T01:58:31.408000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e66c68264d46dc1fca629", "name": "Credit scoreblue [OTX.AlienVault.com/LevelBlue in Ebury Botnet]", "description": "", "modified": "2026-05-21T01:58:30.289000", "created": "2026-05-21T01:58:30.289000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687439c2109c2b61e7afc717", "name": "OTX.AlienVault (2024) in Ebury Botnet-19/5/2024", "description": "", "modified": "2025-07-13T22:57:06.213000", "created": "2025-07-13T22:57:06.213000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": "666eeab2d7cd73b992756b36", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "322 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6674e062afd192ab545b1a04", "name": "Lazarus Group", "description": "Everyone? Why Brashears? You are all so brilliant! It's not to surprising. I acted on behalf of target to follow your report. I am not anywhere close to ever being as clever as thee. Are you hiring snoops? This took form in October 2013.\nThen a follower. Next hell week-years. Just because you can. Well toasts yourselves. It must be amazing to be able to live without the fear of consequences, with knowledge that you're probably right. You know the odds or even better, the government pays you to do it!\nI am truly fascinated as well as humbled by your abilities. You made her so very sad. If that's what you need. Really rethink you choices, it's so otherworldly; again making you all so \nbright. She's met some of you, spoken to some of you, shopped alongside, was surveilled, viewed. More popular than the Kardashian on your rogue channels. Now THAT'S Reality TV. Bieber & Tori Kelley got her song chops, Sony was hacked. Okay. I'm so impressed, Hire me.\n\nsmph. I don't get it. No one does. \nAll tags auto generated.", "modified": "2024-09-05T06:06:53.933000", "created": "2024-06-21T02:07:30.790000", "tags": [ "scripts", "redline stealer", "lazarus", "core", "no problems", "html internet", "html document", "ascii text", "language", "merkd1904", "code", "c++" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "204.79.197.200", "display_name": "204.79.197.200", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6840, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 50, "FileHash-SHA1": 43, "FileHash-SHA256": 850, "URL": 949, "domain": 141, "hostname": 410 }, "indicator_count": 2445, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666eeab2d7cd73b992756b36", "name": "OTX.AlienVault.com/LevelBlue in Ebury Botnet-19-5-2024.xlsx", "description": "Ebury Botnet-19-5-2024.xlsx. is affected by and impacting OTX.AlienVault.com-LevelBlue/Labs users. Based on limited information found online, Ebury is an OpenSSH backdoor and credential stealer. It is used to deploy additional malware. Based on online reports; in mid -May 2024 in was found that Ebury targeted/infected ISP's and up to 400,000 Linux, FreeBSD, and OpenBSD servers. Gains remote access, steals cryptocurrency wallets, credentials, and credit card details and much more I don't know about.", "modified": "2024-07-16T11:02:32.735000", "created": "2024-06-16T13:37:54.283000", "tags": [ "march", "camaro dragon", "cve202322518", "confluence", "impacting azure", "proofpoint", "domains", "excel", "macros", "faile", "hiddentear", "maze", "united", "heur", "html", "malware", "malicious site", "phishing", "mail spammer", "phishing site", "anonymizer", "phishingb64", "exploit", "generic", "phish", "win64", "bashlite", "ransomware", "miner", "blacklist http", "generic malware", "tag count", "malware generic", "wed jun", "analyzer threat", "ip summary", "url summary", "summary", "sample", "first", "maltiverse qrat", "office open", "xml spreadsheet", "xlsx microsoft", "excel microsoft", "xml format", "open packaging", "urls", "com laude", "csc corporate", "cloudflare", "gmbh", "contacted", "markmonitor", "markmonitor inc", "ip detections", "country", "cache entry", "gzip chrome", "text chrome", "files", "file type", "windows", "web open", "font format", "kb xml", "contenttypes", "b xml", "cve20200601", "cve20160189", "referrer", "copy", "switch dns", "query", "amazonaws", "typosquatting", "registrar", "speakez securus", "metro", "asnone united", "n hayden", "rd suite", "purpose p1", "country united", "code us", "name domain", "nexus category", "phone number", "date", "cf2a", "xaax04x00", "high", "createsuspended", "yara detections", "trojan", "ip address", "malware traffic", "nids", "dorkbot", "april", "win32", "unknown", "a poster", "forbidden small", "aaaa", "a h2", "as24940 hetzner", "search", "a nxdomain", "accept", "meta", "install", "config", "next", "calls-wmi", "number", "ja3s", "subject", "secure server", "memory pattern", "azure tls", "issuing ca", "cus subject", "cnamazon rsa", "m03 oamazon", "hashes", "woff chrome", "text", "xml ebury", "cab chrome", "gzip", "user", "data", "datacrashpad", "k dcomlaunch", "embedding", "shell", "programfiles", "samplepath", "process", "created", "shell commands", "tree", "null", "mutexes", "modules", "runtime modules", "algorithm", "suspicious_process", "allocates_rwx", "network_http", "nids_alert", "dumped_buffer", "injection_resumethread", "injection_ntsetcontextthread", "modifies_proxy_wpad", "dead_host", "nids_malware_alert", "injection_runpe", "dumped_buffer2", "network_irc", "injection_write_memory_exe", "nolookup_communication", "injection_modifies_memory", "injection_write_memory", "allocates_execute_remote_process", "persistence_autorun", "injection_createremotethread", "apple", "amazon", "as29791", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "ip lookup", "service ip", "address", "france unknown", "as16276", "germany unknown", "as12876 online", "creation date", "entries", "japan unknown", "body", "domain", "files ip", "location united", "asn as15169", "as15169 google", "as14061", "status", "united kingdom", "name servers", "microsoft", "att" ], "references": [ "Ebury Botnet-19-5-2024.xlsx: FileHash-SHA256 9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e", "https://www.al-dawaa.com/arabic/xefo-injection-8-mg-powder-1-v.html", "api.wipmania.com - Verdict :External IP Lookup Service IP Address: 127.0.0.1", "Ransomware: ransomed.vc, http://www.ransomed.vc, https://www.ransomed.vc", "Apple: emails.redvue.com, apple-dns.net, nr-data.net", "IDS Detections: External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin | Dorkbot GeoIP Lookup to wipmania | Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin", "DNS Resolutions: When executing the file being studied, it performed the following domain name resolutions. accounts.google.com 172.253.125.84", "DNS Resolutions: otx.alienvault.com 108.138.167.23 108.138.167.17 108.138.167.55 108.138.167.82", "Highlighted actions: Calls Highlighted RtlWow64GetCurrentMachine RtlWow64IsWowGuestMachineSupported", "Crowdsourced IDS: rules Matches rule (http_inspect) HTTP Content-Length message body was truncated", "Malware Behavior: Command and Control OB0004 C2 Communication B0030", "Malware Behavior: Communication OC0006 HTTP Communication C0002 WinINet C0005 InternetConnect C0005.001", "https://members.a-poster.info/- Members anonymously bully, post porn, someone's name with malicious titles.", "Ebury Botnet: UnknownStealerRecovered.exe, 20240224105334.pm, rdpwrap.dll ,emails.redvue.com, alt8.gstatic.com. asaawww.gstatic.com", "Ebury Botnet: alt14.gstatic.com,\talt5.gstatic.com, ccd-testing-v4.gstatic.com, checkin.gstatic.com, chromeos-ca.gstatic.com, drive.gstatic.com\tcofr.jquery.com", "Ebury Botnet: eee.gstatic.com, encrypted-tbn0x.gstatic.com, apex.jquery.com,araclar.jquery.com, assets.jquery.com,assetsp.jquery.com", "Ebury Botnet: content.jquery.com, Amvima.com, attachments.jquery.com\t, brand.jquery.com, brandon.jquery.com, calendar.jquery.com", "Ebury Botnet: cdn.jquery.com, code1.jquery.com, code123.jquery.com, code2.jquery.com, codeorigin2.jquery.com, codes.jquery.com", "Ebury Botnet: www.gstatic.com, cdn-cybersecurity.att.com, cdn.amplitude.com, cdn.bizible.com, www.google-analytics.com, www.google.it\t\t encrypted-tbn3.gstatic.com, jquery.com\t\t www.code.jquery.com,\tapi.jquery.com\t,blog.jquery.com, bugs.jquery.com\t,codeorigin.jquery.com\t\t Malware site - Hybrid-Analysis apple-dns.net, www.metrobyt-mobile.com\t\t www.trellian.com, d2tobj9dlmyzd8.cloudfront.net\t\t alt001.www.gstatic.com\t\terror.www.gstatic.com, a.www.gstatic.com\t\t\t sddoodlepups.com\t\t ransomed.vc\tnot found\t\t Data", "Ebury Botnet: CVE-2020-0601, CVE-2018-8174, CVE-2017-8570, CVE-2016-0189, CVE-2023-22518, CVE-2023-4966", "Ebury Botnet: https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Ebury Botnet: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "trojan.boilod.sm, trojan.script.ls, http://trojan.script.ls/, a-poster.info", "https://otx.alienvault.com/indicator/file/f0b09b88d6a4f7ffa7ea912e255537dead276e813d64171a1d8b1e99982ddbd2", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/summary", "Ebury Botnet: https://www.virustotal.com/gui/file/9a4babdab4a93b274cc547150398fd0790d820eb01d85c7dbf5cf44b8b0be73e/behavior", "I really have no idea what's going on or how safe this platform is." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1286703", "display_name": "Win.Trojan.Agent-1286703", "target": null }, { "id": "Win32:Renos-CK", "display_name": "Win32:Renos-CK", "target": null }, { "id": "Win32:Delf-IWG\\ [Trj]", "display_name": "Win32:Delf-IWG\\ [Trj]", "target": null }, { "id": "Win32:Dh-A\\ [Heur]", "display_name": "Win32:Dh-A\\ [Heur]", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Downloader.32972-1", "display_name": "Win.Downloader.32972-1", "target": null }, { "id": "Trojan:Win32/Delflob.A.dll", "display_name": "Trojan:Win32/Delflob.A.dll", "target": "/malware/Trojan:Win32/Delflob.A.dll" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "FileHash-MD5": 636, "FileHash-SHA1": 391, "FileHash-SHA256": 1387, "domain": 1018, "hostname": 574, "URL": 1026, "email": 7 }, "indicator_count": 5046, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e9b2408fd9557692402b03", "name": "Why are OTX pulses modified and by whom when it's not the user?", "description": "There are several OTC accounts that are experiencing unauthorized logins. Users have a common theme, keen awareness, learning from experiences, Apple , state, gov personal accounts of being hacked, have personal network/router , phone or relatives and.or associated (civil society) experiencing cyber attacks.Indicators are being removed at record pace. Some pulses have been deleted altogether. Threat actors are logging in as user by exploiting or creating a vulnerability on user device or login. From what I've learned , there is a history on user device. I hope I'm still allowed to use platform after this. I noticed some accounts were submitting and modifying 24/7. A user in a TH group forum discussed bulk deletion, non-public modified and deleted Pulses.", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-07T12:25:36.098000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eada25525805ad74c32b54", "name": "(Cloned from OTX user) OTX pulses modified and deleted by ???", "description": "", "modified": "2024-04-06T11:00:59.869000", "created": "2024-03-08T09:28:05.923000", "tags": [ "referrer", "execution", "dropped", "apple ios", "contacted", "partru", "sneaky server", "replacement", "unauthorized", "emotet", "submission", "alienvault", "open threat", "learn", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "google tag", "gtmkvjvztk", "anchor hrefs", "urls", "domains", "registrar", "ltd dba", "com laude", "markmonitor", "ip detections", "country", "graph", "hashes cape", "sandbox", "zenbox", "files c", "filesgoogle c", "written c", "extensions", "process", "created", "processes tree", "hour ago", "scan endpoints", "all scoreblue", "report spam", "modified", "scan", "iocs", "learn more", "hostname", "filehashsha256", "next", "url https", "url http", "adriana1984 mar", "role title", "added active", "related pulses", "entries", "united", "asnone united", "aaaa", "simple secure", "passive dns", "search", "showing", "class", "status", "creation date", "servers", "name servers", "date", "title error", "body", "files ip", "address", "location united", "asn asnone", "nameservers", "unknown", "ddos", "ipv4", "pulse submit", "url analysis" ], "references": [ "David Bombal & Cisco Discuss: https://m.soundcloud.com/davidbombal/455-why-hack-in-when-you-can-just-log-in (not an exploit as far as I know. I watched it on YT)", "b7f8599765659c19eafe733a51daf8ffd1dde24bedf876c1aba7bd7f2dbf9aa2 | www.akabomedia.co.uk", "Insecure headers found in search histories: games.com, microsoft.com, adrianafiore1984@gmail.com , secure.login.gov, static.secure.login.gov", "https://secure.login.gov/events/disavow?disavowal_token=Bxut7GJU9magrrk282lmt62q0KM4iP6R9mOGNH7yz9k", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "Unsure of connection to issues: http://www.login.gov/es/help | http://www.login.gov/es/help\\u003c | http://www.microsoft.com/lin... |", "http://www.microsoft.com/link | https://www.login.gov/contact | https://www.login.gov/contact/ | https://www.login.gov/es/contact", "https://www.login.gov/help& | https://www.login.gov/help/ | https://www.login.gov/help/__", "login.gov | uscis.gov | usertesting.com | www.epic | www.login.gov | www.microsoft.com | http://games.com/activate http://microsoft.com/link", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (password decoder)", "https://static.secure.login.gov/packs/js/password_toggle_component-3d373a08.js", "https://secure.login.gov/users/password/edit?request_id=5aa8520c-5fb1-4db9-b52f-39fee61ba899&reset_password_token=T318N3voD8NtXgE_1er2", "https://secure.login.gov/users/password/edit?request_id=7ea7896d-dfb0-40c6-b75b-5fbfab101cb8", "https://secure.login.gov/users/password/edit?reset_password_token=B2J-ZWmp6vfu7teQ7Zvr", "server-18-161-6-16.hio52.r.cloudfront.net", "http://www.w3.org/TR/html4/loose.dtd | 128.30.52.37 | www.w3.org (definite issues)", "http://quantum.emsbk.com/ | deadmin.kaisa.sbs | kaisa.sbs", "Group commentators discussed profile link changed. Also,when some users utilize 'Suggested IoC's' , bulk IoC's' are deleted before able to be included", "Noticed a few users have multiple accounts w/same name, different followers, different follower count. Love this tool. Have questions about potential attacks", "A few haven't logged in in months or sometimes longer (life) notice pulses modified, missing or can't log in.", "Email issue, virustotal also affected. Some having different IP's, different language, an American user VT ; telemetry content, strings, old browsers. Total menu change", "Phishing: http://search.searchffr.com/?source=bing-bb9&uid=9a283646-64de-4df2-84b5-9951528bd4ed&uc=20180405&ap=appfocus63&i_id=recipes__1.30" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1162", "name": "Login Item", "display_name": "T1162 - Login Item" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "65e9b2408fd9557692402b03", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 196, "FileHash-SHA256": 1855, "URL": 1204, "domain": 225, "hostname": 466, "CVE": 2, "email": 3 }, "indicator_count": 4211, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d85bc3164cd519bc4a282d", "name": "Win32:RansomX-gen\\ [Ransom] \u2022 Win32:MalwareX-gen\\ [Trj]", "description": "https://otx.alienvault.com/indicator/ doesn't finish loading. Unable to analyze detections.\nnetwork_icmp\nallocates_rwx\npacker_entropy\nhas_pdb\npe_unknown_resource_name\nsysinternals_tools_usage\nallocates_rwx\nsuspicious_process", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T08:48:03.696000", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d8c371cc0957afd9195ae0", "name": ":MalwareX-gen\\ [Trj]", "description": "", "modified": "2024-03-24T08:04:17.098000", "created": "2024-02-23T16:10:26", "tags": [ "united", "command decode", "segoe ui", "emoji", "meta", "script", "alienvault", "open threat", "exchange", "learn", "date", "roboto", "path", "iframe", "body", "virustotal", "february", "hybrid", "general", "click", "strings", "span", "contact", "ssl certificate", "whois record", "threat roundup", "june", "october", "pe resource", "september", "referrer", "historical ssl", "march", "august", "formbook", "suspicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "65d85bc3164cd519bc4a282d", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 151, "FileHash-SHA1": 151, "FileHash-SHA256": 2254, "domain": 693, "hostname": 974, "URL": 3461, "CVE": 1 }, "indicator_count": 7685, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "kwidly.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "kwidly.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780326633.3275092 }