{ "type": "Domain", "indicator": "loopmail.rest", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/loopmail.rest", "alexa": "http://www.alexa.com/siteinfo/loopmail.rest", "indicator": "loopmail.rest", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4130214055, "indicator": "loopmail.rest", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "17 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "All #tags auto populated.", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "CodeOverlap | All malware listed exists", "https://click.italiansexclub.fun/click/HpdeyDt6", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "https://sexfortokens.com/hotmilfbitch", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "blog.manpowergroup.com.py (aww like dadvocates)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "cdn10.mypornvid.fun impacted a targeted individual", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "Yara Detections: is__elf IP\u2019s", "https://api.cursor.com/v0/agents/", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "https://arena.ai/apple-touch-icon-dark.png", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "motherlesslive.com", "nr-data.net \u2022 push.apple.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "https://docs.cursor.com/en/cli/reference/slash-commands", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "blackbox21.shop", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "alberta.ca impacts an OTX user" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cve-2024-6387", "#lowfi:aggregator:hasknownadwaredomain_nsisbundler.", "Too much to search for", "Cve-2023-22518", "Code overlap", "Trojan.systembc/yxgdgz", "Cve-2025-20393", "Win.malware.vtflooder-6722904-1", "Malware", "Trojan:win32/vflooder", "Trojan.win32.banload", "Trojan.win32.fakemalard", "Formbook", "Qnapcrypt", "Win.malware.gamehack-6822792-0", "Win.malware.tfuvtcog-7194372-0" ], "industries": [ "Medical", "Government.", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a1fc3671bc3d0f5ce8b06e6", "name": "Grok \u2022 X \u2022 Twitter Vflooder | SystemBC | QNAPCrypt", "description": "I continue to research issues affecting iOS and other smart devices, browsers, search engines and targeted individuals.\nI will limit my comments as further evaluation is required. Twitter appears to be used as a weapon to abuse of several targeted persons and their schools or businesses. Research is required to determine how. Is Twitter / X a weapon or is it abused by threat actors. Ongoing attacks dating back at least 5 years. || \n*DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior\n\n#malicious #spyware #twitter #x #ai_ agents #seen_before #systembc #vtflooder #qnapcrypt #cve #checkin #scripiting #injection #extraction #gobinary #operation", "modified": "2026-06-03T06:02:15.229000", "created": "2026-06-03T06:02:15.229000", "tags": [ "sysv", "buildid", "united", "windows nt", "msie", "germany as8560", "yara detections", "contacted", "z74457024643q1", "systembc", "trojan", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "debugging", "go binary", "injection", "header elf64", "v exec", "executable file", "advanced micro", "note", "strtab", "gmbh", "gandi sas", "group india", "private limited", "qnapcrypt", "hacktool", "chrome", "yandex", "stripchat", "amazonaws", "mal_elf_systembc", "apple ios", "ios", "apple", "telhash", "data upload", "cursor", "se data", "extraction", "n https", "data", "failed", "cve cve20246387", "log id", "gmtn", "path", "secure", "self", "samesitenone", "encrypt", "d8n timestamp", "timestamp", "organization", "false", "certificate", "search", "emails", "twitter", "twitter spyware", "twitter vtflooder", "x", "unknown aaaa", "present jun", "ip address", "belize unknown", "unknown ns", "grok x", "cursor agents", "ai", "url url", "url hostnams", "hostn url", "url data", "belize", "a domains", "moved", "alone email", "gmt server", "url analysis", "accept", "namecheap", "namecheap inc", "namesilo", "expim", "url https", "dynamicloader", "host", "ff d5", "yara rule", "ee fc", "generic http", "exe upload", "f0 ff", "eb e1", "write", "vflooder", "malware", "upload inbound", "av detections", "ids detections", "alerts", "analysis date", "checkin generic", "http exe", "upload inbound", "outbound yara", "nrv2x", "upxoepplace", "google", "adversaries", "adversarial attacks", "techniques", "create", "modify system", "process t1064", "t1543 systemd", "technir create", "full reports", "v tcp", "help", "ja3 digests", "hashes o", "et http", "get http", "post http", "dns resolutions", "cams", "adult content", "ff bb", "ff ff", "f7 b9", "c1 e8", "copy", "markus", "august", "title", "gamehack", "alberta.ca", "songculture", "lizardsquad" ], "references": [ "FileHash-SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "TelfHash t135324a7149bc74b5b6a6d910b3a3b4b8a6772d6566f434f51023ad84ffc1e801ce283b", "Names: testpaging \u2022 upof6w.exe \u2022 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt", "Yara Detections: is__elf IP\u2019s", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113", "IP\u2019s Contacted: 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "ELF - ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked,", "Go BuildID=qBC61D7N3q3H7j2Pq55o/WsPsx2ArOJ0T24axAUMZ/K6isHEI8QMyAMkIM3HH8/QQevOAoeyrO7eZGdBARa,", "BuildID[sha1]=068f07f6460b85817e4be47c18c10d1a1fbef817, stripped", "motherlesslive.com", "blackbox21.shop", "passwordreset.gscs.ca \u2022 https://passwordreset.gscs.ca/", "alberta.ca impacts an OTX user", "https://stripchat.org/ \u2022 27bsmextreme.tech \u2022 35bsmextreme.tech \u2022 46bsmextreme.tech \u2022", "FileHash-SHA256 9da8632065cc24646086ff5fb769c452f777aa6c2470a02a16d209baabd1e4b5", "storage/analyses/1000549/network 9da8632065cc24646086f f5 fb769c45\"", "? Con*-cted jp-\u0661\u0660\u0661\u0660\u0660\u0660.--- \u0644\u062d\u0645\u0627", "https://arena.ai/apple-touch-icon-dark.png", "https://www.forbes.com/consent/ketch/?toURL=https://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", "nr-data.net \u2022 push.apple.com", "https://twitter.com/PORNO_SEXYBABES \u2022 twitter.com", "Vtflooder-9783271-0 -> 7476476bdc93726f46f75f5bdd5ce6c619d73f7ee82b7d93ad835c993ff14661", "Win.Malware.Vtflooder-9783271-0 -> Domains Contacted twitter.com www.virustotal.com", "IP\u2019s Contacted 162.159.140.229 34.54.88.138", "IDS Detections: Win32/Vflooder.B Checkin \u2022 Generic HTTP EXE Upload Inbound \u2022 Generic HTTP EXE Upload Outbound", "Yara Detections: SUSP_Imphash_Mar23_2 , UPX , Nrv2x , UPX_OEP_place , , UPXv20MarkusLaszloReiser", "Yara Detections: UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser", "Alerts: procmem_yara suricata_alert dynamic_function_loading network_cnc_https_generic reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name injection_rwx dead_connect exec_crash", "Sigma: Matches rule Suspicious Outbound SMTP Connections by frack113", "Suspicious DNS Query for IP Lookup Service APls by Brandon George (blog post) Thomas Patzke", "Crowdsourced IDS: ET DROP Spamhaus Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip amazonaws .com)", "Matches rule ET INFO External IP Check (checkip.amazonaws.com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "(Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction virustotal.com", "DESCRIPTION: Detects systembc RAT REFERENCE: https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://www.linkedin.com/posts/any-run_systembc-rat-explorewithanyrun-activity-7289971333671645184-Sefp/?utm_source=share&utm_medium=member_ios RULE_AUTHOR: X__Junior", "https://docs.cursor.com/en/cli/reference/slash-commands", "https://api.cursor.com/v0/agents/", "https://grok.com/imagine/agent/d5e99582-a7e7-4138-b129-780e171ba9ac", "beacons.bcp.gvt.com \u2022 http://vtboss.yolox.net/md5.php \u2022 finanse.mf.gov.pl", "cdn10.mypornvid.fun impacted a targeted individual", "https://click.italiansexclub.fun/click/HpdeyDt6", "https://sexfortokens.com/hotmilfbitch", "Win.Malware.Gamehack-6822792-0 IDS Detections Riskware/Cheathappens Checkin (songculture attack)" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2024-6387", "display_name": "CVE-2024-6387", "target": null }, { "id": "CVE-2025-20393", "display_name": "CVE-2025-20393", "target": null }, { "id": "Win.Malware.Vtflooder-6722904-1", "display_name": "Win.Malware.Vtflooder-6722904-1", "target": null }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "QNAPCrypt", "display_name": "QNAPCrypt", "target": null }, { "id": "Win.Malware.Gamehack-6822792-0", "display_name": "Win.Malware.Gamehack-6822792-0", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0028", "name": "Persistence", "display_name": "TA0028 - Persistence" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1262, "FileHash-MD5": 164, "FileHash-SHA1": 207, "IPv4": 180, "URL": 1780, "domain": 370, "hostname": 708, "CVE": 3, "email": 4, "SSLCertFingerprint": 4 }, "indicator_count": 4682, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "17 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62306c74c7f57dc993d13", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:05:58.793000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c62316b24b23e6d4c579ef", "name": "Predator - Dr. Jeffrey Reimer, DPT - Physical Therapist in Denver, CO | Healthgrades", "description": "Malware with code overlap. JSR , DPT Health Grades account has been removed. An investigator claims Reimer & family have been moved, names , career , changes years ago, claims of government protection for him. After victims MRI JSR left town immediately. Returning in 2016 , coincidentally driving near victim location on various locations. \nIt\u2019s disgusting how technology is being used to cover up a crime instead of solve one.\n#code_overlap #malware #hosts_contacted\n#itstoolatetoapologizeitstoolate", "modified": "2025-10-14T01:04:58.605000", "created": "2025-09-14T02:06:14.853000", "tags": [ "denver", "jeffrey reimer", "star rating", "appointment", "post", "response are", "listened", "wait", "reimer", "healthgrades", "reply flag", "doctors", "find", "jeff", "back", "aurora", "leave", "crying", "tips", "tags na", "utc scorecard", "research beacon", "utc yahoo", "dot tags", "united", "mozilla", "write c", "nsisinetc", "undetermined", "medium", "intel", "ms windows", "write", "trojan", "defender", "delphi", "win32", "malware", "win64", "local", "next", "code overlap", "dynamicloader", "as15169", "brazil as28604", "brazil as396982", "upatre", "passive dns", "title error", "ipv4 add", "pulse pulses", "urls", "files", "reverse dns", "location united", "america flag", "body", "script script", "powder sdk", "a domains", "title", "script", "certificate", "hostname add", "pulse submit", "meta", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "signing defense", "flag", "whois privacy", "service name", "server", "contacted hosts", "ip address", "process details", "size", "div id", "beginstring", "beginerror", "null", "error", "strings", "refresh", "tools", "onload", "click", "span", "remote access" ], "references": [ "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler", "YARA: Delphi This program must be run under Win32 compilers TrojanWin32Fakemalard Ujhhd", "CodeOverlap | All malware listed exists", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "All #tags auto populated.", "URL http://virii.es/M/Mobile Malware Attacks and Defense.pdf", "blog.manpowergroup.com.py (aww like dadvocates)", "https://isexychat.com/chatrooms/teen-chat/with-others/\t (sounds about right)", "r53lbr.run-delete-app-sa-east-1-1.run-delete-test-sa-east-1-9zt9rjv.forgeapps.ec2.aws.dev" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "display_name": "#Lowfi:AGGREGATOR:HasKnownAdwareDomain_NsisBundler.", "target": null }, { "id": "Win.Malware.Tfuvtcog-7194372-0", "display_name": "Win.Malware.Tfuvtcog-7194372-0", "target": null }, { "id": "Trojan.Win32.Fakemalard", "display_name": "Trojan.Win32.Fakemalard", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Trojan.Win32.Banload", "display_name": "Trojan.Win32.Banload", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Too much to search for", "display_name": "Too much to search for", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Medical", "Media", "Government." ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 609, "URL": 1550, "domain": 280, "FileHash-SHA256": 1428, "FileHash-MD5": 133, "FileHash-SHA1": 115, "SSLCertFingerprint": 4 }, "indicator_count": 4119, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "loopmail.rest", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "loopmail.rest", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780528347.5125878 }