{ "type": "Domain", "indicator": "mashupdatabase.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mashupdatabase.com", "alexa": "http://www.alexa.com/siteinfo/mashupdatabase.com", "indicator": "mashupdatabase.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3604969080, "indicator": "mashupdatabase.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddf5bda001ff2f840c20e7", "name": "Mofksys - Originated from an X.com image", "description": "Mofksys - Originated from an X.com image Clicked on image to expand. Image coded. IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWFF.COM - Seen before. Associated with Pegasus in the past. \n\n#wannacry #wannacrypt #ransomware #phishing #other_malware_packed#cabby#driveby #milesmx #keystrokes #record #screencapture #mofksys #remote access #fullaccess #code -#botnet #deadhost #otx_pulsed #hilo:", "modified": "2025-11-01T03:03:51.684000", "created": "2025-10-02T03:47:09.092000", "tags": [ "url http", "url https", "h oct", "united", "netherlands", "present apr", "passive dns", "ip address", "present jul", "domain add", "pulse pulses", "urls", "files", "trojan", "entries", "next associated", "mtb nov", "ipv4 add", "overview domain", "files ip", "address", "location united", "asn asnone", "whois registrar", "mtb apr", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3888, "domain": 1009, "hostname": 2134, "FileHash-SHA256": 2150, "CVE": 1, "FileHash-MD5": 106, "FileHash-SHA1": 107 }, "indicator_count": 9395, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b4a3d4df0c7f120a8c60c", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE [02/27/2024]", "description": "", "modified": "2024-05-08T09:47:41.535000", "created": "2024-05-08T09:47:41.535000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65de914a22e80e90ac329dce", "export_count": 1176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3040e853a998bbd2cf", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:24.088000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3131bb8503e087d749", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:25.808000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d89cda3f0dbf62f499d", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:25.169000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d8e925459e97ca124c9", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:30.672000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65da19c17ee182a7fb5122a0", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T16:30:57.575000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d8e925459e97ca124c9", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc53a7d5ebf2b12d2e4bf1", "name": "test", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-26T09:02:31.405000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65da19c17ee182a7fb5122a0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drissm69", "id": "272382", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65de914a22e80e90ac329dce", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-28T01:50:02.478000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d89cda3f0dbf62f499d", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bc0cf9b0dac1aa7f9046cf", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:25.092000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bc0cfda433eb05bde3827b", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:28:29.606000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bc0d2518a7ef9bb17df1b9", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:09.832000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65bc0d302007152543202bac", "name": "WannaCry", "description": "WannaCry ransomware explained. WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money", "modified": "2024-03-02T21:02:32.756000", "created": "2024-02-01T21:29:20.375000", "tags": [ "contacted", "tsara brashears", "urls url", "files", "pegasus", "domains", "cellbrite", "targets sa", "survivor", "apple ios", "execution", "lockbit", "malware", "core", "awful", "hacktool", "crypto", "ransomexx", "quasar", "asyncrat", "bot network", "loader", "ransomware", "wannacry", "cryptor", "encoder", "compiler", "win32 dll", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "vs98", "contained", "w english", "info compiler", "products", "header intel", "name md5", "type", "language", "overlay", "as133618", "unknown", "cname", "united", "germany unknown", "ukraine unknown", "ireland unknown", "virgin islands", "as47846", "as39084 rinet", "date", "encrypt", "next", "microsoft visual c++ v6.0", "as133618 trellian pty. limited", "dynamicloader", "high", "t1063", "yara rule", "medium", "spoofs", "high security", "software", "discovery", "attempts", "april", "dropper", "reads self", "bots", "connect", "botnet", "sabey", "libel", "menacing", "brother sabey", "as15169 google", "aaaa", "search", "name servers", "as29182 jsc", "russia unknown", "found", "error" ], "references": [ "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "cellebrite.com | enterprise.cellebrite.com", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "deviceinbox.com", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "c1a99e3bde9bad27e463c32b96311312.virus", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "CS IDS rule: (port_scan) TCP filtered portsweep", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "Trojan:Win32/WannaCry.350", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "angebot.staude.de", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/" ], "public": 1, "adversary": "NSO Group - Pegasus", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/WannaCry.350", "display_name": "Trojan:Win32/WannaCry.350", "target": "/malware/Trojan:Win32/WannaCry.350" } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 67, "FileHash-SHA1": 62, "FileHash-SHA256": 2864, "domain": 1401, "URL": 5523, "hostname": 1766, "FilePath": 1, "CVE": 2, "email": 5 }, "indicator_count": 11691, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "778 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b4296442cc8db50a264f", "name": "Maui Ransomware ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:28:41.569000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "653977171f690fb9ab978bf3", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a9b87d2d435bdad9ce80a3", "name": "Racoon Stealer ", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-18T23:47:09.818000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aab8eb55243c504a2cb4c0", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-19T18:01:15.365000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65a9b4296442cc8db50a264f", "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afcb842689eb776c0737e5", "name": "Maui Ransomware", "description": "", "modified": "2024-02-17T23:00:21.788000", "created": "2024-01-23T14:21:56.725000", "tags": [ "first", "algorithm", "v3 serial", "number", "issuer", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "namecheap", "server", "registrar abuse", "code", "namecheap inc", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "win32 exe", "win32 dll", "type name", "user", "dns replication", "description", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "community https", "urls", "amazonaes", "china telecom", "sector", "export", "cloud", "mb opera", "mb iesettings", "kb acrotray", "installer", "samplepath", "ssl certificate", "whois record", "tsara brashears", "apple ios", "p2404", "malware", "apple", "password", "critical risk", "password bypass", "core", "hacktool", "metro", "download", "critical", "copy", "relic", "monitoring", "emotet", "tulach", "tulach.cc", "united", "heur", "team", "firehol", "malware site", "cyber threat", "malicious site", "phishing", "phishing site", "malicious", "downer", "artemis", "dnspionage", "kuaizip", "fusioncore", "softcnapp", "downloader", "trojan", "zbot", "cisco umbrella", "site", "safe site", "alexa top", "million", "maltiverse", "phishtank", "bank", "unsafe", "riskware", "alexa", "service", "facebook", "presenoker", "agent", "stealer", "phish", "union", "azorult", "runescape", "generic", "crack", "dapato", "iframe", "downldr", "vidar", "raccoon", "remcos", "miner", "agenttesla", "unknown", "detplock", "networm", "win64", "trickbot", "telecom", "media", "webtoolbar", "trojanspy", "no data", "tag count", "tld count", "ip summary", "url summary", "summary", "detection list", "blacklist https", "pattern match", "samuel tulach", "file", "localappdata", "ascii text", "title", "windows", "hyperv", "span", "mitre att", "meta", "path", "light", "dark", "vmprotect", "main", "footer", "body", "class", "hybrid", "accept", "local", "click", "strings", "error", "script", "form", "root ca", "textarea", "github", "input", "trust", "general", "june", "threat roundup", "july", "whois whois", "collection", "august", "lolkek", "ransomware", "ursnif", "lockbit", "chaos", "quasar", "april", "quasar rat", "dark power", "swisyn", "wiper", "cobalt strike", "attack", "bitrat", "formbook", "qakbot", "ransomexx", "gootloader", "maui ransomware", "Cobalt Strike", "physical threat", "target", "contacted circa 10.23.2023-" ], "references": [ "tulach.cc [Adversarial Malware Attack Source]", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "init-p01st.push.apple.com", "newrelic.se [Apple Collection]", "apple-dns.net. [Apple email collection]", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "nr-data.net [ Hidden private Apple data collection]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "12 CVE exploits posted in 'scoreblue' CVE tally", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "https://pin.it/ [SQLi Dumper]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "msftconnecttest.com", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "104.200.22.130 Command and Control", "aig.com", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "103.224.212.34 scanning_host", "0-1.duckdns.org [malicious]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Tsara Brashears", "display_name": "Tsara Brashears", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Daisy Coleman", "display_name": "Daisy Coleman", "target": null }, { "id": "Twitter Malware", "display_name": "Twitter Malware", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "CVE JAR", "display_name": "CVE JAR", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "TrickBot - S0266", "display_name": "TrickBot - S0266", "target": null }, { "id": "Death Bitches", "display_name": "Death Bitches", "target": null }, { "id": "Bit RAT", "display_name": "Bit RAT", "target": null }, { "id": "Swisyn", "display_name": "Swisyn", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Fusioncore", "display_name": "Fusioncore", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "Chaos", "display_name": "Chaos", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Raccoon", "display_name": "Raccoon", "target": null }, { "id": "Crack", "display_name": "Crack", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Apple Malware", "display_name": "Apple Malware", "target": null }, { "id": "FonePaw", "display_name": "FonePaw", "target": null }, { "id": "Amazon AES", "display_name": "Amazon AES", "target": null }, { "id": "Facebook HT", "display_name": "Facebook HT", "target": null }, { "id": "Ransomexx", "display_name": "Ransomexx", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "Networm", "display_name": "Networm", "target": null }, { "id": "Dapato", "display_name": "Dapato", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:Win32/Detplock", "display_name": "Trojan:Win32/Detplock", "target": "/malware/Trojan:Win32/Detplock" }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "PwndLocker", "display_name": "PwndLocker", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [], "TLP": "green", "cloned_from": "65aab8eb55243c504a2cb4c0", "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 641, "domain": 2470, "FileHash-MD5": 656, "FileHash-SHA256": 8634, "hostname": 2629, "email": 4, "URL": 5605, "CVE": 12 }, "indicator_count": 20651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2f9169d6996c1c928ac0b", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:56:54.333000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a2f9200337f0d1fa195ada", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:57:04.197000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a20ff8db3854e863dca324", "name": "Shared Modules | Hijacker | Masquerading", "description": "", "modified": "2024-02-12T04:01:56.040000", "created": "2024-01-13T04:22:16.961000", "tags": [ "filehashmd5", "no expiration", "iocs", "next", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "pcap", "filehashsha1", "filehashsha256", "ipv4", "hostname", "expiration", "domain", "url https", "url http", "source", "stix", "email", "email abuse", "goreasonlimited", "cc no", "tompc", "sum35", "domain xn", "searchbox0", "domainname0", "view", "apple", "apple id", "hijacking", "masquerading", "exploit", "cams", "monitoring", "loki bot", "dns", "open ports", "malvertizing", "malware hosting", "apple script", "js user", "dga", "dga domains", "malware", "multiple_versions", "wagersta", "decode", "system information discovery", "decrypt", "evasion", "defense evasion", "emotet", "android", "ios", "wannacry", "trojan", "worm", "cyber threat", "benjamin", "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "contacted urls", "execution", "whois whois", "whois sslcert", "and china", "drop", "uchealth", "university of cincinnati health" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 2296, "FileHash-SHA256": 3362, "URL": 6191, "domain": 2033, "hostname": 3097, "email": 37, "CVE": 2 }, "indicator_count": 19719, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864357d1d3185efc5c112", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:01.457000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659864448507cc1752ff6456", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus", "description": "CVE-2017-0147 and other malware is attacking a large Colorado Hospital. A report was posted by colleague but is somehow deleted. This has been exploited in a major way. The ability to have full cnc of all Medical center computers, will interact, listen,attend remotely, can login to system. Can run unauthorized systems in the background, access microphone, computer, ability to freeze system,imaging, records modification, appointment, diagnosis modification, records can and have been removed from facility. I only noticed today's that it appears to have been created by an entity targeting Tsara Brashears in every way possible. Report in references. Low confidence of having been exploited, CVE and Network attack has been quite active for some time.", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-05T20:19:16.886000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4898fa85cad0af83e032d", "name": "SPACESHIP | CVE-2017-0147 - has been exploited at large Colorado Medical Campus ", "description": "", "modified": "2024-02-04T18:00:29.833000", "created": "2024-01-15T01:25:35.060000", "tags": [ "ssl certificate", "whois record", "execution", "contacted", "dropped", "historical ssl", "communicating", "referrer", "stolec kradnie", "vt graph", "first", "utc submissions", "submitters", "amazonaes", "amazon02", "cloudflarenet", "gandi sas", "csc corporate", "ltd dba", "com laude", "facebook", "paris", "twitter", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "url https", "samples", "bundled", "tracking", "tsara brashears", "malware hunting", "hacktool", "emotet", "copy", "brashears", "dynadot inc", "enom", "srsplus", "spaceship", "CVE-2017-0147", "spy cve", "pegasus", "CVE-2017-0147 also found in Pegasus", "mile high", "logos", "trademarks", "aylo premium", "click", "record keeping", "statement", "all rights", "reserved", "vendo", "hostnames", "urls https", "namecheap inc", "feeds ioc", "maltiverse", "analyze", "fastly", "mb installer", "helper", "summary iocs", "graph community", "urls", "urls http", "united", "unknown", "msie", "chrome", "passive dns", "body", "date", "gmt server", "user agent", "content type", "encrypt", "accept", "as136800 sun", "ipv4", "pulse submit", "url analysis", "files", "location hong", "kong asn", "dns resolutions", "dinkle threat", "mirai", "hallrender", "briansabey", "brian sabey", "mark sabey", "uche6vol", "uc health medical campus colorado medical campus", "abuse" ], "references": [ "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "CVE-2017-0147", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "114.114.114.114 - Tulach Malware", "Targeting", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "tsarabrashears.com", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "sweetheartvideo.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "www.dead-speak.com", "Certificate Subject CN=brazzerspesonals.com", "http://r3.o.lencr.org", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "104.247.75.218 | [cnc ]", "www.governmentattic.org [privilege: malicious malware downloading]", "https://www.adultforce.com/ [malvertizing Tsara Brashears]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "SABEY", "display_name": "SABEY", "target": null }, { "id": "TULACH", "display_name": "TULACH", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HallGrand", "display_name": "HallGrand", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "SPACESHIP", "display_name": "SPACESHIP", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Virus:DOS/Paris", "display_name": "Virus:DOS/Paris", "target": "/malware/Virus:DOS/Paris" }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "659864448507cc1752ff6456", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 885, "FileHash-SHA1": 505, "FileHash-SHA256": 5051, "URL": 12316, "domain": 3944, "hostname": 4449, "CVE": 2 }, "indicator_count": 27152, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65944a8149f2479b2fbc6cd1", "name": "Relic", "description": "Malicious redirect to BotNet malvertizing of a business affecting both .command YouTube distribution. YouTube encoded logins. Hacker attack, geo tracking, passwords crack, decryption, C2. Retaliation. Found in referenced Twitter link shared with me.", "modified": "2024-02-01T14:01:46.735000", "created": "2024-01-02T17:40:17.890000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers nel", "maxage5184000", "name verdict", "falcon sandbox", "whois record", "ssl certificate", "tsara brashears", "whois whois", "historical ssl", "contacted", "highly targeted", "hackers", "botnet", "apple ios", "malicious", "hacktool", "quasar", "download", "malware", "relic", "monitoring", "installer", "tofsee", "getprocaddress", "indicator", "prefetch8", "mitre att", "ck id", "show technique", "ck matrix", "united", "file", "pattern match", "path", "date", "win64", "factory", "model", "comspec", "hybrid", "general", "click", "strings", "patch", "song culture", "tulach" ], "references": [ "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "https://twitter.com/sheriffspurlock?lang=en", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "nr-data.net [Apple Private Data Collection]", "init.ess.apple.com [backdoor, malicious script, access via media]", "https://stackabuse.com/assets/images/apple", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "location-icloud.com", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "https://pin.it/ [faux Pinterest for TB]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "114.114.114.114 [ Tulach Malware IP]", "13.107.136.8 [ Tulach Malware IP redirect]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "http://114.114.114.114/ipw.ps1", "194.245.148.189 [CnC]", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "http://109.206.241.129/666bins/666.mpsl", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://watchhers.net/index.php [malware spreader]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "xred.mooo.com [pornhub trojan]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Comspec", "display_name": "Comspec", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8049, "FileHash-MD5": 388, "FileHash-SHA1": 212, "FileHash-SHA256": 7062, "domain": 4401, "hostname": 2653, "CVE": 2, "SSLCertFingerprint": 2 }, "indicator_count": 22769, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261d5965b4824d1606cf9", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:17.262000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4719, "domain": 2497, "hostname": 3549, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5861, "CIDR": 12, "email": 17 }, "indicator_count": 24269, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659261e2290ac1ecc5d9ca74", "name": "Pegasus - a-poster.info", "description": "", "modified": "2024-01-31T04:00:35.757000", "created": "2024-01-01T06:55:30.771000", "tags": [ "no expiration", "domain", "hostname", "ipv4", "expiration", "iocs", "ipv6", "url http", "url https", "next", "filehashmd5", "filehashsha1", "filehashsha256", "scan endpoints", "all octoseek", "create new", "pulse use", "pdf report", "cidr", "pcap", "stix", "subid", "mtsub26293293", "dashboard", "browse scan", "endpoints all", "octoseek", "a poster", "apple", "apple id", "apple engineering", "icloud", "tulach", "hallrender", "ck matrix", "ck id", "xobo", "a nxdomain", "sabey", "aaaa", "win32", "briansabey", "brian", "brian sabey", "urls https", "unknown urls", "united", "ttl value", "tsara brashears", "trojan", "tracker", "tofsee", "threat analyzer", "threat", "temp", "teams api", "subdomains", "active", "active threat", "strings", "status codes", "japan national police agency", "pegasus", "china", "aig", "ssl certificate", "accept", "ssh on server", "speakez securus", "show technique", "https", "relay", "state", "android", "address", "aposter", "workaposter", "sha256", "showing", "simple", "span", "small", "serving ip", "script", "search", "root", "ca", "samples", "root ca", "resolutions", "remote", "relay", "relacion", "referrer", "record value", "applenoc", "as16625", "attack", "apple attack", "bundled", "canvas", "mitre attk", "brute force passwords", "body length", "body", "backdoor", "bellsouth", "bahamut", "bell south", "mitre", "cellbrite", "class", "click", "authority", "contentencoding", "akamai", "as20940", "as24940 hetzner", "as58061 scalaxy", "scalaxy", "as714", "critical", "communicating", "quasar", "trojan", "et", "icefog", "pegasus", "tofsee", "cmd", "crypto", "error", "dns replication", "domain entries", "et cins", "execution", "cname", "config", "contact", "contacted", "copy", "creation date", "formbook", "jekyll", "graph", "germany unknown", "generator", "general", "forbidden", "falcon sandbox", "ssl hostname", "false", "file", "final url", "final url summary", "hashes files", "headers nel", "historical", "malicious host", "malvertizing", "malware", "tagging", "contextualizing", "localappdata", "install", "installer", "ioc search", "iocs kb", "body", "local", "United states", "name", "name servers", "mitre att", "metro", "meta", "mail spammer", "submit", "submit quasar", "phishing", "pattern match", "paste", "passive dns", "nxdomain", "national police agency japan", "network", "verdict", "cmd", "sandbox", "http response", "record type", "phishing", "nuance", "next", "new ioc", "subdomains", "germany", "reinsurance", "nuance", "cybercrime", "tracking", "cyber stalking", "fear", "masquerading", "cobalt strike" ], "references": [ "a-poster.info", "https://tulach.cc/", "images.ctfassets.net", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "nr-data.net [Apple Private Data Collection]", "http://gmpg.org/xfn/11 [HTTrack]", "192.229.211.108 [Tracking & Virus Network]", "me.com [Pegasus]", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "37.1.217.172 [scanning host]", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [ { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "IceFog", "display_name": "IceFog", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Appleservice", "display_name": "Appleservice", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4695, "domain": 2494, "hostname": 3547, "FileHash-MD5": 4118, "FileHash-SHA1": 3496, "FileHash-SHA256": 5841, "CIDR": 12, "email": 17 }, "indicator_count": 24220, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "809 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afca8042c6fe9412bfa29b", "name": "Red Team & Law Firm hijack targets Denver, Arizona, Indiana", "description": "", "modified": "2024-01-23T14:17:36.291000", "created": "2024-01-23T14:17:36.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aec0fde095e6b58d81150c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "817 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65afbae2f2128524e68c4344", "name": "RED TEAM ", "description": "", "modified": "2024-01-23T13:10:58.488000", "created": "2024-01-23T13:10:58.488000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aebfa135f9d1d8ba5d74a9", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "craignbmed", "id": "181999", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_181999/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "817 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aec5db33e8f0cb8010282c", "name": "Dark Angels Newest Threat -ESXi Ransomware [Pulse created by another user]", "description": "", "modified": "2024-01-22T19:45:31.378000", "created": "2024-01-22T19:45:31.378000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aec0fde095e6b58d81150c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "818 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aec0fde095e6b58d81150c", "name": "Red Team & Law Firm attack target [copy users pulse] Denver, Arizona, Indiana, Germany", "description": "", "modified": "2024-01-22T19:24:45.664000", "created": "2024-01-22T19:24:45.664000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65aebfa135f9d1d8ba5d74a9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "818 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65aebfa135f9d1d8ba5d74a9", "name": "Red Team - Cyber Security Defense Team attacking individuals for Attorney [copy]", "description": "", "modified": "2024-01-22T19:18:57.869000", "created": "2024-01-22T19:18:57.869000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65709f9a3d87b76cacd54245", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "818 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656457d8dfbb95a0be58b263", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "Masquerading. Obnoxious privilege escalation. Dangerous entanglements. Attorneys representing target, reinsurance, doctors, and alleged SA PT 'seemingly' involved with attacking & silencing Brashears. Tulach Malware present. Masquerading? Health care establishment and patient PHI at risk. Targets safety @ risk. Found in workers compensation (spoofed?) attorney link.\nhttp://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/ (OTX Auto populated: Researchers from the Institute for Strategic Research (MITRE) in the United States have produced a report on the threat posed to the US government by hackers using the \"fireeyei\" web address.)", "modified": "2023-12-27T06:00:26.403000", "created": "2023-11-27T08:48:22.997000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a9a1c71847ed3f62bca19", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T02:44:44.329000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aa406d0b8009df583c87c", "name": "PHI at risk? Infected Healthcare System? Masquerading", "description": "", "modified": "2023-12-27T06:00:26.403000", "created": "2023-12-02T03:27:02.624000", "tags": [ "windir", "json data", "getprocaddress", "localappdata", "ascii text", "temp", "unicode text", "indicator", "file", "pattern match", "path", "factory", "hybrid", "general", "detection list", "blacklist", "alexa top", "cisco umbrella", "site", "million", "safe site", "malware", "malicious site", "alexa", "phishing site", "malware site", "unsafe", "netsky", "malicious", "downldr", "raccoon", "redline stealer", "metastealer", "phishing", "cobalt strike", "icedid", "opencandy", "exploit", "riskware", "agent", "xrat", "download", "mimikatz", "quasar rat", "union", "team", "bank", "cve201711882", "vidar", "swrort", "win64", "suspicious", "deepscan", "trojanspy", "maltiverse", "united", "proxy", "firehol", "possiblecerber", "outlook", "covid19", "artemis", "generic malware", "tag count", "malware generic", "wed sep", "threat report", "summary", "sample", "samples", "first", "ssl certificate", "threat roundup", "whois record", "contacted", "historical ssl", "march", "referrer", "july", "historical", "whois whois", "june", "execution", "august", "copy", "april", "hacktool", "skynet", "threat analyzer", "threat", "paste", "iocs", "urls https", "productidis", "heur", "anonymizer", "adware", "ransomware", "fuery", "rostpay", "wacatac", "genkryptik", "qakbot", "asyncrat", "installcore", "downloader", "driverpack", "systweak", "encdoc", "kryptik", "bitrep", "killav", "t", "noname057", "keylogger", "spyware", "ip summary", "url summary", "generic", "blacklist http", "malicious url", "iframe", "seraph", "webcompanion", "facebook", "crack", "xtrat", "cleaner", "azorult", "service", "runescape", "emotet", "blacknet rat", "stealer", "coinminer", "dropper", "fakealert", "conduit", "softcnapp", "nircmd", "unruy", "filetour", "patcher", "adload", "junk data", "random domains", "random hosts", "tsara brashears", "target", "phi", "uchealth", "content generating", "Web generator", "installcore" ], "references": [ "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://fireeyei.iowa.gov/", "http://michaela.young@uchealth.com/", "http://uchealth.com/physician/frank-avilucea/", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "nr-data.net (Apple Private Data Collection)", "uapi-qa.stlouisfed.org (Hospital Metadata)", "abc7news.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "O.Gen", "display_name": "O.Gen", "target": null }, { "id": "DriverReviver", "display_name": "DriverReviver", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "QakBot - S0650", "display_name": "QakBot - S0650", "target": null }, { "id": "XRAT", "display_name": "XRAT", "target": null }, { "id": "Keylogger", "display_name": "Keylogger", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "656457d8dfbb95a0be58b263", "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 789, "FileHash-SHA256": 5146, "SSLCertFingerprint": 2, "domain": 1794, "URL": 2130, "hostname": 1025, "FileHash-MD5": 1478, "CVE": 15 }, "indicator_count": 12379, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a8ab04f4376f74586eeb", "name": "Compromise source", "description": "", "modified": "2023-12-06T17:00:27.266000", "created": "2023-12-06T17:00:27.266000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1538, "hostname": 1049, "domain": 400, "URL": 3075, "FileHash-MD5": 258, "FileHash-SHA1": 136 }, "indicator_count": 6457, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a77022ab8eb59e186099", "name": "scan_host", "description": "", "modified": "2023-12-06T16:55:12.020000", "created": "2023-12-06T16:55:12.020000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a72f140326fa725a7583", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:54:07.518000", "created": "2023-12-06T16:54:07.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a71746cd05b8ffc71d86", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:43.601000", "created": "2023-12-06T16:53:43.601000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a6f9f0cb95f36a8590b6", "name": "Application Layer Protocol", "description": "", "modified": "2023-12-06T16:53:13.036000", "created": "2023-12-06T16:53:13.036000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a6e151668215a7eb7ef6", "name": "Cyber Criminal Group", "description": "", "modified": "2023-12-06T16:52:49.885000", "created": "2023-12-06T16:52:49.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a6cfa62bb520508659a6", "name": "NewOrder.doc", "description": "", "modified": "2023-12-06T16:52:31.959000", "created": "2023-12-06T16:52:31.959000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a4049421d107b6ade1c0", "name": "", "description": "", "modified": "2023-12-06T16:40:36.624000", "created": "2023-12-06T16:40:36.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3fdf7637f464de729d2", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:40:29.875000", "created": "2023-12-06T16:40:29.875000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3f88930c56241d29c80", "name": "Spammer", "description": "", "modified": "2023-12-06T16:40:24.522000", "created": "2023-12-06T16:40:24.522000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3f24e8fd846cc01d23e", "name": "DGA DOMAIN", "description": "", "modified": "2023-12-06T16:40:18.209000", "created": "2023-12-06T16:40:18.209000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3ec011405ef6fcd8cb0", "name": "Passive DNS", "description": "", "modified": "2023-12-06T16:40:12.247000", "created": "2023-12-06T16:40:12.247000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 1083, "URL": 4338, "hostname": 1386, "FileHash-SHA256": 1740, "FileHash-SHA1": 83, "email": 12, "FileHash-MD5": 96 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a3dd6b4fb6460f906d0b", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:39:57.080000", "created": "2023-12-06T16:39:57.080000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "domain": 4157, "URL": 15415, "FileHash-SHA256": 7002, "hostname": 4814, "FileHash-MD5": 191, "FileHash-SHA1": 182, "email": 2, "CIDR": 2 }, "indicator_count": 31769, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "http://fireeyei.iowa.gov/", "CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "angebot.staude.de", "me.com [Pegasus]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "ncsi-geo.trafficmanager.net =analytics.tresensa.com", "http://114.114.114.114/ipw.ps1", "https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking]", "https://www.energyvanguard.com/blog/59284/Guest-Post-The-Fatal-Flaw-in-Advanced-Framing-Part-1", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "discord.com \u2022 discord.gg", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "www.dead-speak.com", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\\george", "https://tulach.cc/", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996", "12 CVE exploits posted in 'scoreblue' CVE tally", "http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse]", "https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang)", "CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly)", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "msftconnecttest.com", "mailtrack.io [tracking VirusTotal graphs, link trace back]", "114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge]", "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "103.224.212.34 scanning_host", "https://twitter.com/sheriffspurlock?lang=en", "http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2", "https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e", "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "https://twitter.com/juvlarN", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread.", "www.governmentattic.org [privilege: malicious malware downloading]", "https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://pin.it/ [SQLi Dumper]", "http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior]", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "143.244.50.213 |169.150.249.162 [malware_hosting]", "http://uchealth.com/physician/frank-avilucea/", "http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne", "13.107.136.8 [ Tulach Malware IP redirect]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe]", "abc7news.com", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "Certificate Subject CN=brazzerspesonals.com", "http://109.206.241.129/666bins/666.mpsl", "http://1.116.132.182/weblogic_CVE_2020_2551.jar", "https://yugemobile.com/tracking?plcmntid=ym5002&imps=2dda8436-396e-4b37-a917-0cce11ffb623", "init-p01st.push.apple.com", "nr-data.net \u2022 www.youtube.com", "http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link]", "rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker", "AppRegistrationList.csv", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://www.sweetheartvideo.com/tsara-brashears/", "CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "Trojan:Win32/WannaCry.350", "vortex-nlb-http2-fed-us-taut-purple.nr-data.net (b.link infringement)", "x.com - Malware Packed", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices]", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community", "a-poster.info", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "Targeting", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "https://my.uchealth.com/myuchealth/Visits/VisitDetails?csn=WP-24%E2%80%A6FJ0JuA-3D-3D-24vasu1ISpMoMuqD8IMEos5jRZZFiBtfPMciW-2FFH52VaQ-3D", "fed1a186b37f4720s@withheldforprivacy.com [Investigation of alleged victims?]", "appleid.cdn-apple.com", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "apple-dns.net. [Apple email collection]", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "Domains Contacted: fenbushijujuefuwu.com", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://www.adultforce.com/ [malvertizing Tsara Brashears]", "https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE", "https://www.google.com/?authuser=0", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=\u00aeion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes", "CS IDS rule: (port_scan) TCP filtered portsweep", "images.ctfassets.net [data collection of citizen]", "www.metrobyt-mobile.com. [s3.amazonnaws.com Apple]", "api.item.yixun.com", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "nr-data.net [Apple Private Data Collection]", "nr-data.net (Apple Private Data Collection)", "https://www.criminalip.io/domain/report?scan_id=13798622", "CVE-2017-0147", "https://pin.it/ malicious Pinterest redirect targets Tsara Brashears", "104.200.22.130 Command and Control", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "bleepingcomputer.com \u2022 CliffsNotes", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]", "https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious]", "37.1.217.172 [scanning host]", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "tsarabrashears.com", "Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\\ [Trj]", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign]", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "https://tria.ge/240517-vdwb5shc71/behavioral1", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "http://r3.o.lencr.org", "xred.mooo.com [pornhub trojan]", "init.ess.apple.com [backdoor, malicious script, access via media]", "192.229.211.108 [Tracking & Virus Network]", "http://michaela.young@uchealth.com/", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter", "https://stackabuse.com/assets/images/apple", "https://pin.it/ [faux Pinterest for TB]", "uapi-qa.stlouisfed.org (Hospital Metadata)", "sweetheartvideo.com", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign]", "Domains Contacted: smtp.gmail.com www.google.com", "CS Sigma Rule: Creation of an Executable by an Executable by frack113", "http://intranet.uchealth.com/Policies/Corporate%20Policies/Standards%20of%20Performance%20and%20Conduct.pdf", "https://my.uchealth.com/myuchealth/inside.asp?mode=visitsummary&submode=notes&csn=WP-24PtuJGFUkCkn9owS5DdIspw-3D-3D-24g6bhGYash%E2%80%A6", "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "192.168.0.25 [Network Router Admin Login to wireless routers]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Cobalt Strike | 3.12.49.0 | Amazon 02", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Domain twitter.com No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration\t0\t URL", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary", "156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "deviceinbox.com", "nr-data.net [ Hidden private Apple data collection]", "http://watchhers.net/index.php [malware spreader]", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d", "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]", "Above Assurant link. [ Hidden privacy threats,,Transactional campaign", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://tria.ge/240521-q4s79agb25/static1", "https://www.wlafx4trk.com/cmp/33K48/5ZK2T/?source_id=95_1236_91dabe93-2a51-4b93-bfd3-4a4bd7e00ff3_31&sub1=4df5b890c55d4bdead5ba03dde982afa", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "114.114.114.114 - Tulach Malware", "uversecentral3.att.com [decode cookie \u2022 unlock]", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "194.245.148.189 [CnC]", "http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag]", "The next pulse will show Apple IoC\u2019s related to Tulach.cc", "c1a99e3bde9bad27e463c32b96311312.virus", "0-1.duckdns.org [malicious]", "114.114.114.114 [ Tulach Malware IP]", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://urlscan.io/search/#ualberta.ca", "104.247.75.218 | [cnc ]", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "CS IDS rule: (stream_tcp) data sent on stream after TCP reset received", "http://gmpg.org/xfn/11 [HTTrack]", "mobile.twitter.com [titled hashtag Daisy Coleman]", "images.ctfassets.net", "CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "aig.com", "newrelic.se [Apple Collection]", "https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,", "apple.com [=vaccine.com / negative http or https - insecure, malicious]", "cellebrite.com | enterprise.cellebrite.com", "angryblackwomyn.com", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "https://api.w.org/ \u2022 api.w.org", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising]", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "tulach.cc [Adversarial Malware Attack Source]", "Found in http://kaplanmorrell.com/meet-kaplan-morrel/meet-ronda-cordova/", "https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community", "https://www.hybrid-analysis.com/sample/8d62f650d5cb5d68441bd64ad24f088f18e34779f0c2e8178917a1e07dd65996/65642d5cfa9d60126100612e", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "https://pin.it/ [Pinterest BotNetwork for Pegasus]", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/", "https://github-cloud.s3.amazonaws.com [DNS prefetch]", "location-icloud.com", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "All - EnterpriseAppsList.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO Group - Pegasus" ], "malware_families": [ "Gootloader", "Maltiverse", "Trojan:win32/mydoom", "Tofsee", "Win.trojan.agent-357800", "Fonepaw", "Worm:win32/enosch!atmn", "Driverreviver", "Win.trojan.vbgeneric-6735875-0", "Formbook", "Win.malware.cymt-10023133-0", "Generic", "Worm:win32/mofksys.rnd!mtb", "Ransomexx", "Icefog", "Trojan", "Lolkek", "Spaceship", "Swisyn", "Keylogger", "Apple malware", "Win.malware.swisyn-7610494-0", "Ransom:win32/gandcrab.ae", "Cve jar", "T", "Qakbot", "Pws:win32/ymacco.aa50", "Networm", "Trojandropper:win32/muldrop.v!mtb", "Hallgrand", "Win.trojan.agent-1371484", "Win.dropper.quasarrat-10023124-0", "Trojan:win32/detplock", "Amazon aes", "Agent tesla - s0331", "Raccoon", "Remcos", "Pegasus for ios - s0289", "Win.packed.botx-10021462-0", "Cobalt strike", "Unix.trojan.mirai-9441505-0", "Virus:dos/paris", "Crypt3.blxp", "Nullsoft_nsis", "Pegasus for android - mob-s0032", "Win32:agent-asti\\ [trj]", "Lockbit", "#lowfijavazkm", "Hallrender", "Libraryloader", "Backdoor:win32/tofsee.", "Trojanspy", "Ransom:win32/gandcrab.e", "Win.malware.jaik-9968280-0", "Win.trojan.tofsee-7102058-0", "Dark power", "Mirai", "Tulach", "Html.trojan.ascii212_44_64_202-1", "Comspec", "Trickbot - s0266", "Daisy coleman", "Alf:trojanspy:win32/keylogger", "Win.malware.moonlight-9919383-0", "Qakbot - s0650", "Win.malware.generickdz-9937235-0", "Tsara brashears", "Win.malware.razy-6979265-0", "Alf:trojan:win32/cassini_412f60c8!ibt", "Trojanspy:win32/nivdort.de", "Etpro", "Pwndlocker", "Facebook ht", "Trojandownloader:win32/nemucod", "Maui ransomware", "Alf:heraklezeval:trojan:win32/azorult.fw!rfn", "Zbot", "Chaos", "Win.trojan.zegost-9769410-0", "Trojan:win32/wannacry.350", "Win.packer.crypter-6539596-1", "Death bitches", "Cve-2017-0147", "Win.packed.generic-9967832-0", "Crack", "Worm:win32/lightmoon.h", "Trojanspy:win32/nivdort", "Fusioncore", "Relic", "Win.packed.stealerc-10017074-0", "Slf:win32/elenquay.a", "Backdoor:win32/tofsee.t", "Win.packer.pkr_ce1a-9980177-0", "#lowfi:win32/autoit", "O.gen", "Alf:hstr:virtool:win32/obfuscator!pecancer", "Dnspionage", "Redline", "Sabey", "Xrat", "Emotet", "Win32:ransomx-gen\\ [ransom]", "Bit rat", "Win.trojan.barys-10005825-0", "Webtoolbar", "Alfper:hstr:wizremurl.a1", "Hacktool", "Win.malware.aauto-9839281-0", "Tulach malware", "Quasar", "Quasar rat", "Pegasus - mob-s0005", "Appleservice", "Dapato", "Brashears", "Azorult", "Artemis", "Vidar", "Win.malware.midie-6847893-0", "Twitter malware", "Slfper:softwarebundler:win32/icloader.a" ], "industries": [ "Healthcare", "Education", "Technology", "Civil society", "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ddf5bda001ff2f840c20e7", "name": "Mofksys - Originated from an X.com image", "description": "Mofksys - Originated from an X.com image Clicked on image to expand. Image coded. IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWFF.COM - Seen before. Associated with Pegasus in the past. \n\n#wannacry #wannacrypt #ransomware #phishing #other_malware_packed#cabby#driveby #milesmx #keystrokes #record #screencapture #mofksys #remote access #fullaccess #code -#botnet #deadhost #otx_pulsed #hilo:", "modified": "2025-11-01T03:03:51.684000", "created": "2025-10-02T03:47:09.092000", "tags": [ "url http", "url https", "h oct", "united", "netherlands", "present apr", "passive dns", "ip address", "present jul", "domain add", "pulse pulses", "urls", "files", "trojan", "entries", "next associated", "mtb nov", "ipv4 add", "overview domain", "files ip", "address", "location united", "asn asnone", "whois registrar", "mtb apr", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3888, "domain": 1009, "hostname": 2134, "FileHash-SHA256": 2150, "CVE": 1, "FileHash-MD5": 106, "FileHash-SHA1": 107 }, "indicator_count": 9395, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b4a3d4df0c7f120a8c60c", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE [02/27/2024]", "description": "", "modified": "2024-05-08T09:47:41.535000", "created": "2024-05-08T09:47:41.535000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65de914a22e80e90ac329dce", "export_count": 1176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3040e853a998bbd2cf", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:24.088000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3131bb8503e087d749", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:25.808000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d89cda3f0dbf62f499d", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:25.169000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d8e925459e97ca124c9", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:30.672000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65da19c17ee182a7fb5122a0", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T16:30:57.575000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d8e925459e97ca124c9", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "mashupdatabase.com", "stats": { "malicious": 14, "suspicious": 0, "harmless": 48, "undetected": 32, "total": 94, "verdict": "malicious", "ratio": "14/94" }, "verdict": "malicious", "ratio": "14/94", "registrar": "Name.com, Inc.", "creation_date": 1733361503, "reputation": 0, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "BitDefender", "result": "phishing", "category": "malicious" }, { "vendor": "CyRadar", "result": "phishing", "category": "malicious" }, { "vendor": "Forcepoint ThreatSeeker", "result": "phishing", "category": "malicious" }, { "vendor": "Fortinet", "result": "malware", "category": "malicious" }, { "vendor": "G-Data", "result": "phishing", "category": "malicious" }, { "vendor": "Kaspersky", "result": "malware", "category": "malicious" }, { "vendor": "Lionic", "result": "malicious", "category": "malicious" }, { "vendor": "SOCRadar", "result": "malware", "category": "malicious" }, { "vendor": "Seclookup", "result": "malicious", "category": "malicious" } ], "last_analysis": 1775147971, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "mashupdatabase.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776643233.8137448 }