{ "type": "Domain", "indicator": "lyryled.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lyryled.com", "alexa": "http://www.alexa.com/siteinfo/lyryled.com", "indicator": "lyryled.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 144246908, "indicator": "lyryled.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "688d5bab9ce44c4321064457", "name": "xloader", "description": "", "modified": "2026-01-12T23:06:55.682000", "created": "2025-08-02T00:28:27.331000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-MD5": 83, "FileHash-SHA1": 45, "FileHash-SHA256": 308, "domain": 392, "hostname": 107 }, "indicator_count": 1323, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e4307a059dee6d1ade4ed", "name": "lumma", "description": "", "modified": "2026-01-04T22:52:50.774000", "created": "2025-06-03T00:34:15.050000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 22, "FileHash-SHA256": 90, "URL": 550, "domain": 380, "hostname": 33 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddc9048ba0719321307d03", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:20.247000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddc902283b04c489f7e1cd", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:18.296000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5daf09a6d16f1e2c5c594c22", "name": "Simda - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Simda. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2025-07-15T21:13:57.066000", "created": "2019-10-22T13:52:38.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 209, "hostname": 5 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 1085, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a4293d5bc5c915eac829e0", "name": "Ransom:Win32/Crowti.A : Android Windows | Win.Trojan.Simda CnC", "description": "", "modified": "2024-08-25T21:00:52.039000", "created": "2024-07-26T22:54:53.598000", "tags": [ "united", "unknown", "a domains", "accept", "link", "passive dns", "encrypt", "trmp", "ok server", "date", "meta", "whois lookup", "create date", "domain", "expiry date", "update date", "update", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "public key", "info", "key algorithm", "dns replication", "subdomains", "first", "historical ssl", "record type", "ttl value", "cname", "certificates", "show", "entries", "yara rule", "delete", "search", "intel", "ms windows", "copy", "binary file", "get updates", "write", "as44273 host", "redacted for", "moved", "record value", "as54113", "body", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "files", "ip address", "files ip", "address domain", "as61969 team", "germany unknown", "msie", "chrome", "precondition", "gmt content", "united kingdom", "as396982 google", "as8075", "ireland unknown", "as21301", "aaaa", "status", "sha1", "windows nt", "sha256", "size", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "span", "format", "click", "hybrid", "twitter", "generator", "tsvt", "strings", "download", "path", "contact", "suspicious", "invalid url", "open ports", "body html", "head title", "title head", "body h1", "reference", "bad request", "server", "version", "trojandropper", "ransom", "checkin", "ipv4", "trojan", "virtool", "http post", "theme directory", "without referer", "cycbot", "http response", "final url", "status code", "body length", "kb body", "headers server", "gmt etag", "gmt date", "referrer", "code signing", "serial number", "ca valid", "from", "valid", "valid usage", "verisign time", "stamping", "thumbprint", "class", "error", "info header", "name md5", "type", "language", "contained", "overlay", "gandi sas", "dynadot", "registrar", "dynadot inc", "cloudflare", "net technology", "corporation", "bigrock", "dynadot llc", "namecheap", "ip detections", "country", "contacted", "defense evasion", "access ta0006", "ta0009 command", "control ta0011", "impact ta0034", "impact ta0040", "ta0040", "samplepath", "pattern urls", "pattern domains", "memory pattern", "domains domain", "ip traffic", "typo squatting", "realteck audio", "phish", "mr windows", "partru", "goog mal", "android windows", "maze", "apple", "malware", "worm", "skynet", "microsoft", "trojan evader", "simda cnc", "showing", "filehash", "pulse pulses", "av detections", "ids detections", "delphi", "network", "crowdstrike" ], "references": [ "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "BigRock: gadyzyh.com", "Matches rule ET INFO Namecheap URL", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "Matches rule Windows Processes Suspicious Parent Directory by vburov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Netherlands" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.E", "display_name": "TrojanDownloader:Win32/Upatre.E", "target": "/malware/TrojanDownloader:Win32/Upatre.E" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Win.Trojan.Simda", "display_name": "Win.Trojan.Simda", "target": null }, { "id": "TEL:Win32/Qjwmonkey.A", "display_name": "TEL:Win32/Qjwmonkey.A", "target": "/malware/TEL:Win32/Qjwmonkey.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 549, "domain": 1182, "hostname": 590, "URL": 961, "FileHash-SHA256": 2466, "FileHash-MD5": 562, "SSLCertFingerprint": 7, "email": 4 }, "indicator_count": 6321, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "644 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3c31230455f6d8da3a9f0", "name": "Locky: File Deletion targeting incriminating archived files II", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T21:07:30.887000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c8a64436a7aee2e25a1", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3acf32e1088e76165a307", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T19:33:07.504000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c91868744aa1449fef2", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c8a64436a7aee2e25a1", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:46.707000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659ab33e614882a4a7451ca8", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:46.936000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659ab3389d6c91dc01801fe5", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:40.610000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3af07b73d51dc4bb9efbc", "name": "Phrishing and MiSL, at odomou.com", "description": "Lots of communicating files, mostly misl amd phishing but also a few other random baddiez.", "modified": "2023-09-10T13:02:26.487000", "created": "2023-07-28T12:05:27.845000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 489, "FileHash-MD5": 135, "FileHash-SHA1": 129, "URL": 316, "domain": 341, "hostname": 219, "CVE": 1 }, "indicator_count": 1630, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "994 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "malicious.high.ml [dropper]", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "Matches rule ET INFO Namecheap URL", "redhatdelete.com", "198.54.115.46 [exploit_source]", "lyvyxor.com [command_and_control]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [Botnet phishing]", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "114.114.114.114 [Tulach | Virus Network IP]", "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "gahyqah.com [command_and_control]", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "gadyniw.com [command_and_control]", "https://tulach.cc/ [phishing, exploits, malware spreader]", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "puzylyp.com [command_and_control]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.norad.mil/ [tracking]", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "https://www.reddit.com/user", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "https://www.reddit.com/user [honeypot]", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "www.apple.com [API property call]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "yesporn.fun", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "Matches rule Windows Processes Suspicious Parent Directory by vburov", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "galyqaz.com [command_and_control]", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "www.norad.mil [tracking]", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "beacons.bcp.gvt.com [tracking]", "BigRock: gadyzyh.com", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "Trojan-Ransom.Win32.Blocker.jgb Checkin" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Pinkslipbot", "Backdoor:win32/simda", "#lowfi:scpt:kiraasciiobfuscator", "Artemis", "Zeus", "Ransom:win32/wannacrypt.a!rsm", "Worm:win32/mofksys.rnd!mtb", "Nsis", "Virus:win32/floxif.h", "Qakbot", "Wannacrypt", "Alinaos", "Crypt3.blxp", "Zbot", "Installcore", "Wannacry", "Tel:trojandownloader:o97m/msiexecabuse", "Cobalt strike", "Ramnit", "Etpro trojan", "Bambernek", "Plasma rat", "Trojanspy:win32/swisyn", "Xpire.info", "Pws:win32/vb.cu", "Win.packed.zusy-7170176-0", "Artro", "Lolkek", "Tel:win32/qjwmonkey.a", "Chaos (elf)", "Suppobox", "Trojan:msil/clipbanker.gb!mtb", "Trojanspy", "Gregory", "Grandcrab", "Simda", "Infy", "Citadel", "Hidelink", "Athena", "Win.ransomware.locky-7766366-0", "Hacktool", "Vskimmer", "Neutrino", "Spitmo", "Eternal blue", "Trojan:win32/comspec", "Maltiverse", "'win32:trojan-gen", "Matsnu", "Worm:logo/logic", "Virut", "Worm:win32/mofksys.b", "Mitre attack", "Spyeye", "Hydra", "Bondat", "Mirai", "Ransom:win32/crowti.a", "Andromeda", "Ransomware", "Redline stealer", "Win.trojan.zbot-9880005-0", "Nymaim", "Trojandropper:win32/gamehack", "Slingshot", "Searchmeup", "Dorkbot", "Trojandownloader:win32/upatre.e", "Prynt", "Ascii", "Dexter", "Cycbot", "Hawkeye", "Xrat", "Tulach", "Virtool:win32/injector", "Trojan-ransom.win32.blocker.jgb checkin", "Betabot", "Alf:e5.spikeaex.rhh_pid", "Covid19", "Pony", "Quasar rat", "Kraken", "Rostpay", "Vawtrak", "Solar", "Cutwail", "Pykspa", "Et", "Dark power", "Virtool", "Quasar", "Win.trojan.simda", "Emotet" ], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "688d5bab9ce44c4321064457", "name": "xloader", "description": "", "modified": "2026-01-12T23:06:55.682000", "created": "2025-08-02T00:28:27.331000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-MD5": 83, "FileHash-SHA1": 45, "FileHash-SHA256": 308, "domain": 392, "hostname": 107 }, "indicator_count": 1323, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e4307a059dee6d1ade4ed", "name": "lumma", "description": "", "modified": "2026-01-04T22:52:50.774000", "created": "2025-06-03T00:34:15.050000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 22, "FileHash-SHA256": 90, "URL": 550, "domain": 380, "hostname": 33 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddc9048ba0719321307d03", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:20.247000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 147, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddc902283b04c489f7e1cd", "name": "Malicious Probe - WannaCry \u2022 WannaCrypt- Ransomware", "description": "Malicious remote cab / drive by via an alt google redirect , clicked image , suspicious, low amount of search results.\nRead coded image. Target/s phone -cnc and infected. #dead_connect #decrypted #hacked #nametactics", "modified": "2025-11-01T00:02:59.726000", "created": "2025-10-02T00:36:18.296000", "tags": [ "ip address", "key identifier", "x509v3 subject", "data", "v3 serial", "cus ogoogle", "trust", "cnwr3 validity", "subject public", "key info", "links", "dynamicloader", "high", "et exploit", "ms17010", "msf style", "probe ms17010", "generic flags", "dns lookup", "ransom", "write", "malware", "wannacrypt", "wannacry", "eternal blue", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "development att", "ssl certificate", "programfiles", "username", "windir", "userprofile", "mitre att", "ck matrix", "localappdata", "comspec", "model", "hybrid", "path", "click", "strings", "sabey type", "quasi type", "pegasus relationship", "fbi? files" ], "references": [ "www.forensickb.com \u2022 Computer Forensics, Malware Analysis & Digital Investigations", "Eternal Blue Wannacry \u2022 WannaCry Crypter", "https://hybrid-analysis.com/sample/8ed6c58fb2a5d50252bf106d31ed9e230925124443e4243bec9515c82ef0450c/68ddc351e27cb562e902d674" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "WannaCrypt", "display_name": "WannaCrypt", "target": null }, { "id": "Eternal Blue", "display_name": "Eternal Blue", "target": null }, { "id": "ET", "display_name": "ET", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4246, "domain": 757, "hostname": 1039, "email": 1, "FileHash-SHA256": 2738, "FileHash-SHA1": 152, "FileHash-MD5": 140, "CVE": 1, "SSLCertFingerprint": 3 }, "indicator_count": 9077, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5daf09a6d16f1e2c5c594c22", "name": "Simda - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Simda. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2025-07-15T21:13:57.066000", "created": "2019-10-22T13:52:38.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 209, "hostname": 5 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 1085, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a4293d5bc5c915eac829e0", "name": "Ransom:Win32/Crowti.A : Android Windows | Win.Trojan.Simda CnC", "description": "", "modified": "2024-08-25T21:00:52.039000", "created": "2024-07-26T22:54:53.598000", "tags": [ "united", "unknown", "a domains", "accept", "link", "passive dns", "encrypt", "trmp", "ok server", "date", "meta", "whois lookup", "create date", "domain", "expiry date", "update date", "update", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "public key", "info", "key algorithm", "dns replication", "subdomains", "first", "historical ssl", "record type", "ttl value", "cname", "certificates", "show", "entries", "yara rule", "delete", "search", "intel", "ms windows", "copy", "binary file", "get updates", "write", "as44273 host", "redacted for", "moved", "record value", "as54113", "body", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "files", "ip address", "files ip", "address domain", "as61969 team", "germany unknown", "msie", "chrome", "precondition", "gmt content", "united kingdom", "as396982 google", "as8075", "ireland unknown", "as21301", "aaaa", "status", "sha1", "windows nt", "sha256", "size", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "span", "format", "click", "hybrid", "twitter", "generator", "tsvt", "strings", "download", "path", "contact", "suspicious", "invalid url", "open ports", "body html", "head title", "title head", "body h1", "reference", "bad request", "server", "version", "trojandropper", "ransom", "checkin", "ipv4", "trojan", "virtool", "http post", "theme directory", "without referer", "cycbot", "http response", "final url", "status code", "body length", "kb body", "headers server", "gmt etag", "gmt date", "referrer", "code signing", "serial number", "ca valid", "from", "valid", "valid usage", "verisign time", "stamping", "thumbprint", "class", "error", "info header", "name md5", "type", "language", "contained", "overlay", "gandi sas", "dynadot", "registrar", "dynadot inc", "cloudflare", "net technology", "corporation", "bigrock", "dynadot llc", "namecheap", "ip detections", "country", "contacted", "defense evasion", "access ta0006", "ta0009 command", "control ta0011", "impact ta0034", "impact ta0040", "ta0040", "samplepath", "pattern urls", "pattern domains", "memory pattern", "domains domain", "ip traffic", "typo squatting", "realteck audio", "phish", "mr windows", "partru", "goog mal", "android windows", "maze", "apple", "malware", "worm", "skynet", "microsoft", "trojan evader", "simda cnc", "showing", "filehash", "pulse pulses", "av detections", "ids detections", "delphi", "network", "crowdstrike" ], "references": [ "43.204.54.95 AS 16509 (AMAZON-02), http://r10.i.lencr.org/, www.maketrumppresidentagain.site", "trojan.shiz/razy: FileHash-SHA256 02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8", "trojan.shiz/razy | CS Sigma: Matches rule System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Benche", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst", "trojan.shiz/razy | CS IDS: Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan", "trojan.shiz/razy | CS IDS: Matches rule PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning", "trojan.shiz/razy | Capabilities Collection Log keystrokes via polling", "https://www.virustotal.com/gui/file/02ed9fac1ebab76f551f1c27c0831541a3e0a6a716b392b16f34689b8fba08d8/detection", "https://otx.alienvault.com/indicator/file/e6f8e2706058064d8f38d12923e52cec7a128218b39ca1fe60a2dde7ac3d158f | binary_yara mpress_2_xx_x86", "Ransom:Win32/Crowti.A: FileHash-SHA256 1ffa6a3f8844b5955fc5e7329a6fb766cc1f35b39201ceaf0bca282b5b0b8cf6", "Ransom:Win32/Crowti.A: FileHash-MD5 d34cf3663902900ddf46b937449472b9", "Ransom:Win32/Crowti.A: FileHash-SHA1 05a49b7502099932ff628ca5a8583397b7e2dca2", "VirTool:Win32/Injector: FileHash-SHA256 0806653f8af2e9c2530e453f8b1fea47f62f86b5b0b65487ddcfd014eea8e9fe", "VirTool:Win32/Injector: FileHash-MD5 baa1a920d33eee94e123f5dfb6bbe7456692e020d682ae45f0de66130f9ea0da", "VirTool:Win32/Injector: FileHash-SHA1 3e7124373729e9ec90ea1d01222bfdd84b0484e5", "BigRock: gadyzyh.com", "Matches rule ET INFO Namecheap URL", "POLICY Unsupported/Fake Internet Explorer Version MSIE 2", "Win.Trojan.Simda: FileHash-SHA256 0187e1392266fff224de9e3d3fbbe1a05cea8b823906ad27ff577c6e348f6e3b", "Win.Trojan.Simda: FileHash-SHA1 fec01e5e59034cafc2b1e95c23068e075f9dbe69", "Win.Trojan.Simda: FileHash-MD5 efe12fc770fb8647e22adb7f814666e7", "TEL:Win32/Qjwmonkey.A: FileHash-SHA256 30ffb056ad64037a918d80c120db5d0032b29feb7db97ed19824646381165a5d", "TEL:Win32/Qjwmonkey.A: FileHash-SHA1 51efdae4ba6bfec8e6f4ae2d7f6dc8cca42db1da", "TEL:Win32/Qjwmonkey.A: FileHash-MD5 535ce96e43fe532e1ddfd804dbde9c6a", "Matches rule Files With System Process Name In Unsuspected Locations by Sander Wiebing, Tim Shelton, Nasreddine Bencherch", "Matches rule Windows Processes Suspicious Parent Directory by vburov" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Netherlands" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Upatre.E", "display_name": "TrojanDownloader:Win32/Upatre.E", "target": "/malware/TrojanDownloader:Win32/Upatre.E" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "Win.Trojan.Simda", "display_name": "Win.Trojan.Simda", "target": null }, { "id": "TEL:Win32/Qjwmonkey.A", "display_name": "TEL:Win32/Qjwmonkey.A", "target": "/malware/TEL:Win32/Qjwmonkey.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 549, "domain": 1182, "hostname": 590, "URL": 961, "FileHash-SHA256": 2466, "FileHash-MD5": 562, "SSLCertFingerprint": 7, "email": 4 }, "indicator_count": 6321, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "644 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3c31230455f6d8da3a9f0", "name": "Locky: File Deletion targeting incriminating archived files II", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T21:07:30.887000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c8a64436a7aee2e25a1", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3acf32e1088e76165a307", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T19:33:07.504000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c91868744aa1449fef2", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lyryled.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lyryled.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780267930.0250323 }