{ "type": "Domain", "indicator": "loopmasters.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/loopmasters.com", "alexa": "http://www.alexa.com/siteinfo/loopmasters.com", "indicator": "loopmasters.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3760370712, "indicator": "loopmasters.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ef344417f9985660e698b", "name": "Pulse Data", "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.", "modified": "2026-03-28T07:23:23.210000", "created": "2026-02-13T09:47:48.788000", "tags": [ "imphash", "file type", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections tls", "zeppelin" ], "references": [ "", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access " ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 646, "FileHash-SHA1": 604, "FileHash-SHA256": 1373, "hostname": 1143, "domain": 1381, "URL": 2537, "CVE": 101, "email": 25, "SSLCertFingerprint": 9 }, "indicator_count": 7819, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668115d703e0a46887c7f08d", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware", "description": "Targeted Individual has experienced attacks on both iOS, Android, MacBooks & PC's. Drive-by Compromise can be accomplished by various methods this can be done, for example: A pop up advert could have an 'X' in the corner that disguises itself as a close button, but actually acts as a catalyst for starting a malicious download once pressed. A tactic used on specific target is a pop-up w/with (a non-Google affiliated disclaimer)'Google' account chooser with Google logo desired email checked. [https://accounts.google.com/AccountChooser?]; checked. Every time TB acquired a new phone, this occurs. A link could appear legitimate, but clicking on it could cause the download to begin. Drive-by Compromise \u00b7 A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript.", "modified": "2024-07-30T08:04:39.977000", "created": "2024-06-30T08:22:47.783000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f270d3801ae3dfde1cd0", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware ", "description": "", "modified": "2024-07-30T08:04:39.977000", "created": "2024-07-01T00:04:00.567000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": "668115d703e0a46887c7f08d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "https://twitter.com/PORNO_SEXYBABES", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "telemetry-incoming.r53-2.services.mozilla.com", "nr-data.net [Apple Private Data Collection]", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "samsungdevapi.reverselogix.net", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "http://45.159.189.105/bot/regex [command and control infection source]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "espysite.azurewebsites.net", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "IDS Detections: Suspicious double Server Header Possible Kelihos", "http://www.door.net/ARISBE/arisbe.htm", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "47.courier-push-apple.com.akadns.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "http://www.google.com/images/errors/robot.png", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "T1110.001 (Brute Force: Password Guessing)", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "Obfuscation: XOR-based String Encryption (0x20)", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Nids", "Et", "Virtool:win32/obfuscator", "Malware family: stealthworker / gobrut", "Kelihos", "Ransom:win32/crowti.a", "Pws:win32/ymacco", "Backdoor:win32/tofsee", "Inject3.qgy", "Nod32", "Etpro", "Trojan:win32/glupteba", "Trojandownloader:win32/cutwail", "Zeus", "Worm:win32/enosch!atmn", "Sf:shellcode-au\\ [trj]", "Win.malware.drivepack-9884589-1", "Tel:trojan:win32/injector.ab!msr", "Win.malware.swisyn-7610494-0", "Win32:vb-ajkp\\ [trj]", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Cerber ransomware" ], "industries": [ "Healthcare", "Civil society", "Media", "Targeted individuals", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ef344417f9985660e698b", "name": "Pulse Data", "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.", "modified": "2026-03-28T07:23:23.210000", "created": "2026-02-13T09:47:48.788000", "tags": [ "imphash", "file type", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections tls", "zeppelin" ], "references": [ "", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access " ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 646, "FileHash-SHA1": 604, "FileHash-SHA256": 1373, "hostname": 1143, "domain": 1381, "URL": 2537, "CVE": 101, "email": 25, "SSLCertFingerprint": 9 }, "indicator_count": 7819, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66933b9c8be1a5b9e24de941", "name": "Worm:Win32/Enosch - Affecting YouTube, Google and more", "description": "", "modified": "2024-08-13T02:01:24.759000", "created": "2024-07-14T02:44:44.457000", "tags": [ "june", "october", "july", "tracking", "december", "apple ios", "relacionada", "partru", "plugx", "cryptbot", "hacktool", "lockbit", "as8075", "united", "slot1", "mascore2", "bcnt1", "nct1", "arc1", "ems1", "auth1", "localeenus", "date", "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "unknown", "asnone united", "as14061", "status", "creation date", "name servers", "cname", "next", "passive dns", "as15169 google", "gmt cache", "sameorigin", "443 ma2592000", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "as63949 linode", "html", "gmt content", "moved", "encrypt", "body", "record value", "emails", "domain name", "error", "code", "algorithm", "key usage", "v3 serial", "number", "public key", "info", "key algorithm", "subject key", "identifier", "x509v3 crl", "first", "as6185 apple", "japan", "as8068", "as714 apple", "aaaa", "as32244 liquid", "nxdomain", "as44273 host", "script urls", "meta", "as31154 toyota", "belgium unknown", "belgium", "pulse submit", "url analysis", "win32 exe", "android", "servers", "files", "name", "domain", "ashley", "sylvia", "sonja", "file type", "karin", "gina", "christine", "kathrin", "sandy" ], "references": [ "http://www.google.com/images/errors/robot.png", "beacons.bcp.gvt.com, desktop.google.co.id, drive.google.com, google.com , https.www.google.com", "nr-data.net [Apple Private Data Collection]", "47.courier-push-apple.com.akadns.net", "Antivirus Detections: Win32:Agent-ASTI\\ [Trj] , Win.Trojan.Agent-357800 , Worm:Win32/Enosch!atmn", "IDS Detections: Win32/Enosch.A gtalk connectivity check | Yara Detections: md5_constants", "Alerts: network_icmp network_smtp persistence_autorun modifies_proxy_wpad dumped_buffer", "Alerts: network_http antivm_network_adapters smtp_gmail antivm_queries_computername checks_debugger", "Worm:Win32/Enosch: FileHash-SHA256\t00001fce075ec7fe698d6ede804939221afcf40750027fde6b29a75af85ea2cc", "Worm:Win32/Enosch: FileHash-SHA1 c1f7aeab8ae436f1e94bce12a465db736850f4d5", "Worm:Win32/Enosch: FileHash-MD5 c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Unlocker]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 146, "FileHash-SHA1": 126, "FileHash-SHA256": 1422, "URL": 377, "domain": 889, "hostname": 418, "SSLCertFingerprint": 1, "email": 10 }, "indicator_count": 3389, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668115d703e0a46887c7f08d", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware", "description": "Targeted Individual has experienced attacks on both iOS, Android, MacBooks & PC's. Drive-by Compromise can be accomplished by various methods this can be done, for example: A pop up advert could have an 'X' in the corner that disguises itself as a close button, but actually acts as a catalyst for starting a malicious download once pressed. A tactic used on specific target is a pop-up w/with (a non-Google affiliated disclaimer)'Google' account chooser with Google logo desired email checked. [https://accounts.google.com/AccountChooser?]; checked. Every time TB acquired a new phone, this occurs. A link could appear legitimate, but clicking on it could cause the download to begin. Drive-by Compromise \u00b7 A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript.", "modified": "2024-07-30T08:04:39.977000", "created": "2024-06-30T08:22:47.783000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f270d3801ae3dfde1cd0", "name": "Drive-by Compromise | TEL:Trojan:Win32/Injector | Zeus | Ransomware ", "description": "", "modified": "2024-07-30T08:04:39.977000", "created": "2024-07-01T00:04:00.567000", "tags": [ "vj83", "tsara brashears", "malware", "password bypass", "problems", "threat network", "infrastructure", "checking", "china", "iocs", "download", "relic", "monitoring", "installer", "graph", "server", "domain status", "date", "code", "country", "registrar abuse", "registrar", "whois lookup", "admin city", "redmond admin", "analyzer paste", "urls http", "z1277946686", "slfrd1", "uiebaae", "jid960554243", "samples", "malicious url", "z1767086795", "no data", "tag count", "count blacklist", "tag tag", "sample29", "team alexa", "million", "alexa", "site", "cisco umbrella", "hostname", "united", "mail spammer", "malicious site", "covid19", "cyber threat", "filerepmalware", "phishing site", "heur", "engineering", "keybase", "bank", "malicious", "artemis", "phishing", "div div", "domain", "passive dns", "creation date", "as46606", "content type", "script script", "a div", "unknown", "meta", "process32nextw", "medium", "wizard", "registry", "module load", "t1129", "registry run", "keys", "t1060", "memcommit", "win32", "service", "explorer", "june", "copy", "delphi", "tools", "persistence", "execution", "capture", "a dd", "h3 p", "search", "aaaa", "free", "p div", "virtool", "form", "window", "next", "status", "record value", "showing", "cname", "gmt content", "body", "pulses", "urls", "files ip", "address", "location united", "asn as13335", "whois registrar", "as8075", "access", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "yara detections", "push", "filehash", "av detections", "ids detections", "alerts", "analysis date", "sec ch", "xml base64", "ch ua", "ua full", "ua platform", "moved", "whois", "trojan", "entries", "gmt server", "centos", "ransom", "detection list", "alexa top", "bluehost", "e emeseieee", "msie", "windows nt", "wow64", "slcc2", "media center", "dynamicloader", "cryptowall", "malware beacon", "suspicious", "zeus", "write", "bits", "date hash", "avast avg", "mtb dec", "script urls", "typeof", "script domains", "as54600 peg", "li ol", "apple", "ios", "samsung", "tracking", "ms windows", "pe32", "read c", "intel", "pe32 executable", "qt translation", "regsetvalueexa", "write c", "show", "april", "observer", "stream", "local", "e eue", "goatsinacoat" ], "references": [ "espysite.azurewebsites.net", "http://45.159.189.105/bot/regex [command and control infection source]", "http://update.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://www.partitionwizard.com/checking-update/ko/verconfig-v11-registered.txt", "http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11", "http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858", "http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "https://twitter.com/PORNO_SEXYBABES", "https://adservice.google.com.uy/clk\t init.ess.apple.com", "WinToFlash-Lite-The-Bootable-USB-Creator-1.13.0000-Setup.exe | Setup.Bin Lockbin1.com", "crl.globalsign.com\tWinPCA.crl gscodesigng2.crl crl.globalsign.net root.crl crl.microsoft.com WinPCA.crl analytics.js tracking.minitool.com launch.php", "VTBehaviour.CommonDataStirage.GoogleAPIs.com\t Playatoms-pa.googleapis.com SongCulture.com bam.nr-data.net", "https://www.google.co.kr/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-686301-28&cid=1048899291.1595287580&jid=1064984308&_v=j83&z=1277946686&slf_rd=1&random=491737294", "Yara Detections: Delphi , ProtectSharewareV11eCompservCMS", "Alerts: stops_service network_icmp network_irc persistence_autorun creates_largekey antisandbox_mouse_hook", "Alerts: infostealer_keylogger rat_pcclient process_interest injection_resumethread stealth_hiddenfile", "Domains Contacted: cdn2.minitool.com www.partitionwizard.com", "https://otx.alienvault.com/indicator/file/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-SHA256 22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "PWS:Win32/Ymacco: FileHash-MD5 0145b299e0d988750bd", "PWS:Win32/Ymacco: FileHash-SHA1 05d3eef1b402fcceced24bd5e8cc3d613c311419", "samsungdevapi.reverselogix.net", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/22e8de5785b65790950eeef5e81dadf9acd44d7767399f8a88bab8b7059b1269", "https://otx.alienvault.com/indicator/hostname/www.partitionwizard.com", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA256 3a8d5782cd3335cb19bc9f1588a9303e7c8bf46aa0a6dd8d9a8fbada0dc23293", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-MD5 502983a98c69c012c600e2a2a7b2a1af", "TEL:Trojan:Win32/Injector.AB!MSR: FileHash-SHA1 217eed43662f43704c5c65bbdb503699b8689d6a", "CVE-2017-0147 CVE-2017-11882 CVE-2017-8570 CVE-2018-8453 CVE-2014-0160", "https://otx.alienvault.com/indicator/url/http://www.pulsesolutions.com/WebService/EasyLoggerWebService.asmx/", "Ransom:Win32/Crowti.A: FileHash-SHA256 3328a110970be661ce1267a553fa2ddf", "Ransom:Win32/Crowti.A: FileHash-SHA1 f7e6be8e6b15e4c67d82ec663abee6f0a292ff77", "Ransom:Win32/Crowti.A: FileHash-MD5 3328a110970be661ce1267a553fa2ddf", "https://otx.alienvault.com/indicator/file/94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com", "Alerts: procmem_yara injection_inter_process injection_create_remote_thread antiav_servicestop suricata_alert suspicious_command_tools", "Alerts: bcdedit_command stealth_network cape_detected_threat deletes_shadow_copies infostealer_cookies", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA256 00f4950d49404f58e223c0946f18a2a779c502d82ce67d419ce42f794666d3c8", "TrojanSpy:Win32/Nivdort.DC: FileHash-SHA1 fa773890465396aefe1a6b74d107ce1fee664ef9", "TrojanSpy:Win32/Nivdort.DC: FileHash-MD5 ecd1617974166e34de036ddf859a78f6", "Trojan:Win32/Formbook!MTB: FileHash-SHA256 c72bf65e0b2635221ce291191b40ddae3d599e418601dcef5d3ef4ab6e929d5f", "Trojan:Win32/Formbook!MTB: FileHash-SHA1 3bba9a34622ca39fe8b7132da8056a0d8c9be36c", "Trojan:Win32/Formbook!MTB: FileHash-MD5 1f5c006f1ef8d4998c5a6392c4082aef", "VirTool:Win32/Obfuscator.JM: FileHash-SHA256 b4cbdc6fe310af9d4d089d36141ca51d5b91ce877c6d0f6f78fc8bd8e6ce5b37", "https://saptools.mx/files/aud2txt-linux.zip | linuxeater.com | kent@riboe.se | https://saptools.mx/files/aud2txt-linux.zip", "Related Domains By Email DOMAIN ORGANISATION NAME: citrusea.com - Kent Riboe | linuxeater.com - Kent Riboe [kent@riboe.se]", "https://admin.safeid.io/Account/ResetPassword?token=Bx_9HrVhO0ihjnilL3BfcpM9s_1XmMRCAI4Sr1QWsLNmMlpmaAH0DI8fWkk7MSrh", "Tracking: jrstrackingfunction.com | http://tracking.orca-functions.zoovu.solutions/ | http://tracking.orca-functions.zoovu.solutions/", "Tracking: https://sharepointwow.msnd36.com/tracking/lc/3d8656d6-d66c-4b3b-aec3-a363f4faf30f/9d15012d-b2b5-4d70-abb1-eed6eff85f20/7b92544e-3ea3-dccc-179b-fdc110fc452a/", "Tracking: URL http://45.159.189.105/bot/regex | http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11", "Tracking: http://tracking.minitool.com/pw/launch.php?120100-from-enterprise-v11 No Expiration\t0\t URL http://www.google-analytics.com/r/collect?v=1&_v=j83&a=160340377&t=pageview&_s=1&dl=http://tracking.minitool.com/pw/launch.html?120100-from-enterprise-v11&ul=en-us&de=utf-8&dt=launch%20tracking&sd=32-bit&sr=1152x864&vp=79x26&je=0&fl=19.0%20r0&_u=IEBAAE~&jid=960554243&gjid=1088832951&cid=1848517172.1595359858&tid=UA-686301-39&_gid=1248672958.1595359858&_r=1&z=1767086795", "IDS Detections: Win32/Kapahyku.A Activity 1 PUP/ASMalwNS.A Checkin Observed Suspicious UA (NSIS_Inetc (Mozilla))", "iappletech.com | init.ess.apple.com | https://appliedinnovation.forms.pia.ai/r | join.appliedpsych.com", "Zeus: FileHash-SHA256 94cdf28c30c4bb09d191990706844f10d8ba837459c9a81dd672f209e77c2fb9", "IDS Detections: CryptoWall Check-in Zeus Bot Connectivity Check External IP Check myexternalip.com IP Check myexternalip.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "PWS:Win32/Ymacco", "display_name": "PWS:Win32/Ymacco", "target": "/malware/PWS:Win32/Ymacco" }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "Win32:VB-AJKP\\ [Trj]", "display_name": "Win32:VB-AJKP\\ [Trj]", "target": null }, { "id": "Win.Malware.Drivepack-9884589-1", "display_name": "Win.Malware.Drivepack-9884589-1", "target": null }, { "id": "TEL:Trojan:Win32/Injector.AB!MSR", "display_name": "TEL:Trojan:Win32/Injector.AB!MSR", "target": null }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Zeus", "display_name": "Zeus", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Healthcare", "Civil Society", "Targeted Individuals" ], "TLP": "green", "cloned_from": "668115d703e0a46887c7f08d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1324, "FileHash-SHA1": 931, "FileHash-SHA256": 2209, "URL": 1572, "hostname": 1628, "domain": 1711, "email": 10, "CVE": 5, "SSLCertFingerprint": 2 }, "indicator_count": 9392, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "loopmasters.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "loopmasters.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776639579.1601949 }