{ "type": "Domain", "indicator": "mozilla.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mozilla.com", "alexa": "http://www.alexa.com/siteinfo/mozilla.com", "indicator": "mozilla.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #440", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain mozilla.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain mozilla.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2378155340, "indicator": "mozilla.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69cf32e906000d5993f366c4", "name": "Habo Analysis System - & 'bye for now'", "description": "Habo Analysis plus other relative findings.\n\nMy opinion: Problem Size Trend : Macro. Whoever deleted files doesnt make it go away. #cryptographicfailure. Living Nightmare. The dates will reflect 2019/20 post certificate exp which adjusts to an aug 2025 sectigo cert which expired sept 8 2025 rolling into aws for auth expiring renewing ent of oct 2025 into a 5 year gap renewed same # digicert globalsign2020 seal. This cant end. But I am done here for deletions (not otx in my research who did this). To the person who did, you cooked the internet. There was one way to resolution. You failed.", "modified": "2026-04-03T04:05:59.805000", "created": "2026-04-03T03:24:25.921000", "tags": [ "next associated", "files show", "date hash", "avast avg", "present dec", "lowfi", "mtb may", "susp", "code", "llc registrar", "date", "server", "admin country", "registry domain", "iana id", "admin city", "herndon tech", "country", "key identifier", "x509v3 subject", "number", "cgb osectigo", "public server", "dv r36", "validity", "subject public", "key info", "key algorithm", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "executable", "msdos win32", "generic windos", "dos executable", "generic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1006, "FileHash-SHA1": 927, "FileHash-SHA256": 3665, "hostname": 1187, "IPv4": 617, "URL": 1315, "email": 2, "domain": 605 }, "indicator_count": 9324, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707dfb9f84eebbe3bdfe59", "name": "Pegasus and Friends 2 - all touch by Pegasus or Variant in some way or another", "description": "", "modified": "2023-12-06T13:58:18.607000", "created": "2023-12-06T13:58:18.607000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1207, "domain": 312, "hostname": 1198, "URL": 3217, "FileHash-MD5": 3 }, "indicator_count": 5937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620844f08a0cd181e13a81c0", "name": "Pegasus and Friends 2 - all touch by Pegasus or Variant in some way or another", "description": "", "modified": "2022-03-15T00:00:20.682000", "created": "2022-02-12T23:38:24.616000", "tags": [ "whois record", "ssl certificate", "whois whois", "whois", "pegasus", "spyware" ], "references": [ "https://pastebn.com/Q9qWTKsM", "https://pastebn.com/Q9qWTKsM/", "Graph by nilaymistry30", "https://www.virustotal.com/graph/g1143d9441bce4ab3b427b7bace69140516650b053aa4470584248657edc53ef3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3217, "hostname": 1198, "domain": 312, "FileHash-SHA256": 1207, "FileHash-MD5": 3 }, "indicator_count": 5937, "is_author": false, "is_subscribing": null, "subscriber_count": 402, "modified_text": "1491 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/peeringdb/peeringdb-py", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "From the lovely Cyber Folks .PL Cover", "https://search.app.goo.gl/?ofl", "acam-mdn.apple.com", "http://alohatube.xyz/search/tsara-brashears", "Unknown Persons impersonating Private Investigators (plural)", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "api.telegram.org", "I bring up the personal nature of the crime because a delete service has been used", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "https://www.virustotal.com/graph/g1143d9441bce4ab3b427b7bace69140516650b053aa4470584248657edc53ef3", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "blackhat.store", "This is a serious crime. I\u2019m certain God WILL pay them.", "Reimer was a PT. Unknown whereabouts , name or job description", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://www.door.net/ARISBE/arisbe.htm", "beacons.bcp.gvt.com", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "Melvin Sabey", "applemusic-spotlight.myunidays.com", "gameskinny.com", "uat.identityssl.newscdn.com.au", "Denver Police Department Major Crimes closed investigation", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://www.datafoundry.com/data-center-contamination-control/", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "Quasi Government Case", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "telemetry-incoming.r53-2.services.mozilla.com", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "00-skillsetparadesarrollo.zendesk.com", "http://ti.hicloudcam.com", "https://pastebn.com/Q9qWTKsM", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "Some may may find this content is very disturbing and offensive", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://www.datafoundry.com/category/news/press-releases/", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "https://rdweb.datafoundry.com/", "Worm:Win32/Benjamin", "Graph by nilaymistry30", "nr-data.net", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "Mark Brian Sabey", "IDS Detections: Suspicious double Server Header Possible Kelihos", "https://thebrotherssabey.wordpress.com/", "https://207-207-25-201.fwd.datafoundry.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "Christopher P \u2018Buzz\u2019 Ahmann", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "cpcontacts.webcamara.online", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "http://212.33.237.86/images/1/report.php", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "http://watchhers.net/index.php", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://pastebn.com/Q9qWTKsM/", "Ronda Cordova", "Victim silenced. Struck by Car Driven by male police let walk", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Updated | What\u2019s left after theft", "All IoC\u2019s originate from sources named. There are some unknown attackers", "https://webmail.police.govmm.org/owa/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cve-2023-4966", "Trojandownloader:win32/cutwail", "Kelihos", "Cerber ransomware", "Silk", "Virtool:win32/obfuscator", "Malware:addscopytostartup", "Cve-2023-22518", "Makop ransomware", "Worm:win32/benjamin", "Worm:win32/autorun", "Ninite", "Nod32", "#lowfi:siga:trojanspy:msil/keylogger", "Lazarus", "Et", "Nids", "Inject3.qgy", "Little", "Trojan:win32/glupteba", "Trojan:win32/cobaltstrike", "Win.trojan.generic-9935365-0", "Tons of malware", "Sabey", "Telper:hstr:clean:ninite", "Etpro", "Backdoor:win32/tofsee", "Ransomware", "Trojan:win32/zombie", "Tel:trojan:win64/goclr", "Brashears", "Tulach", "Trojan:win32/startpage", "Sf:shellcode-au\\ [trj]", "Alf:trojan:win32/cassini_6d4ebdc9", "Trojan:win32/fanop", "Virtool:win32/injector.gen!bq", "Trojan:win32/neconyd", "Noobyprotect", "Hallrender", "Hacktool", "Porn revenge", "Emotet", "Alf:heraklezeval:ransom:win32/cve", "Backdoor:win32/zegost", "Trojan:win32/dridex", "Lolkek", "Fakeav.for" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69cf32e906000d5993f366c4", "name": "Habo Analysis System - & 'bye for now'", "description": "Habo Analysis plus other relative findings.\n\nMy opinion: Problem Size Trend : Macro. Whoever deleted files doesnt make it go away. #cryptographicfailure. Living Nightmare. The dates will reflect 2019/20 post certificate exp which adjusts to an aug 2025 sectigo cert which expired sept 8 2025 rolling into aws for auth expiring renewing ent of oct 2025 into a 5 year gap renewed same # digicert globalsign2020 seal. This cant end. But I am done here for deletions (not otx in my research who did this). To the person who did, you cooked the internet. There was one way to resolution. You failed.", "modified": "2026-04-03T04:05:59.805000", "created": "2026-04-03T03:24:25.921000", "tags": [ "next associated", "files show", "date hash", "avast avg", "present dec", "lowfi", "mtb may", "susp", "code", "llc registrar", "date", "server", "admin country", "registry domain", "iana id", "admin city", "herndon tech", "country", "key identifier", "x509v3 subject", "number", "cgb osectigo", "public server", "dv r36", "validity", "subject public", "key info", "key algorithm", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "executable", "msdos win32", "generic windos", "dos executable", "generic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1006, "FileHash-SHA1": 927, "FileHash-SHA256": 3665, "hostname": 1187, "IPv4": 617, "URL": 1315, "email": 2, "domain": 605 }, "indicator_count": 9324, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf261cc4e399447d78776c", "name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |", "description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com", "modified": "2026-03-21T23:13:32.760000", "created": "2026-03-21T23:13:32.760000", "tags": [ "sc data", "data upload", "please sub", "include data", "extraction", "failed", "sc pulse", "idron anv", "extr please", "include review", "exclude sugges", "stop show", "typ domain", "united", "virtool", "name servers", "cryp", "emails", "win32", "ip address", "worm", "trojan", "learn", "suspicious", "informative", "ck id", "name tactics", "command", "adversaries", "spawns", "ssl certificate", "initial access", "link initial", "prefetch8", "mitre att", "ck matrix", "flag", "windows nt", "win64", "accept", "encrypt", "form", "hybrid", "bypass", "general", "path", "iframe", "click", "strings", "anchor https", "anchor", "liberal", "sabey", "liberal friends", "meta", "html internet", "html document", "unicode text", "utf8 text", "info initial", "access ta0001", "compromise", "t1189 network", "communication", "get http", "artifacts v", "full reports", "v get", "help dns", "resolutions", "ip traffic", "extr data", "enter sc", "extra data", "referen", "broth", "passive dns", "urls", "http", "hostname", "files domain", "files related", "related tags", "none google", "safe browsing", "inquest labs", "lucas acha", "code integrity", "checks creation", "otx logo", "all hostname", "files", "domain", "protect", "date", "title", "exchange", "se http", "present jan", "present feb", "present dec", "backdoor", "certificate", "all domain", "alibaba cloud", "hichina", "porkbun llc", "cloudflare", "namecheap inc", "namecheap", "domains", "dynadot llc", "ascio", "denmark", "url https", "filehashsha256", "url http", "dopple ai", "snit", "iocs", "otx description", "information", "report spam", "delete service", "poem", "hunter", "malicious", "porn revenge", "brian sabeys", "all report", "spam delete", "rl http", "https", "expiration http", "spam brian", "swipper", "type indicator", "role title", "added active", "related pulses", "filehashmd5", "filehashsha1", "sha256", "scan", "learn more", "indicators show", "tbmvid", "sourcelnms", "zx1724209326040", "xxx videos", "xxxvideohd", "adversary", "packing", "palantir.com", "discovery", "victim won case", "doin it", "palantirian abuse", "apple", "sabey data centers", "insurance", "quasi government", "the brother sabey", "reimer", "law enforcement", "vessel state", "sabey porn", "hall evans", "christopher ahmann", "defamation", "google" ], "references": [ "The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/", "http://watchhers.net/index.php", "http://212.33.237.86/images/1/report.php", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://webmail.police.govmm.org/owa/", "https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl", "https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215", "Mark Brian Sabey", "Melvin Sabey", "Christopher P \u2018Buzz\u2019 Ahmann", "Ronda Cordova", "Unknown Persons impersonating Private Investigators (plural)", "Quasi Government Case", "Victim silenced. Struck by Car Driven by male police let walk", "Denver Police let this attempted murder walk. Cited him as a ghost driver", "Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora", "Sexual and Physical Assaulter - Jeffrey Scott Reimer", "Reimer was a PT. Unknown whereabouts , name or job description", "Denver Police Department Major Crimes closed investigation", "Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim", "I bring up the personal nature of the crime because a delete service has been used", "More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed", "All IoC\u2019s originate from sources named. There are some unknown attackers", "This is a serious crime. I\u2019m certain God WILL pay them.", "https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com", "http://palantirwww.sweetheartvideo.com/ (weirdness)", "http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.datafoundry.com/data-center-contamination-control/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2-lbl.dvr.dn2.n-helix.com/", "https://207-207-25-201.fwd.datafoundry.com/", "http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd", "http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1", "https://rdweb.datafoundry.com/", "https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/", "http://foundry2sdbl.dvr.dn2.n-helix.com/", "Updated | What\u2019s left after theft", "207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com", "207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com", "https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse", "https://www.datafoundry.com/category/news/press-releases/", "207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com", "209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com", "www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com", "http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com", "http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/", "https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022", "https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/", "https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com", "Some may may find this content is very disturbing and offensive" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Porn Revenge", "display_name": "Porn Revenge", "target": null }, { "id": "Tons of Malware", "display_name": "Tons of Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6034, "domain": 1422, "IPv4": 883, "FileHash-MD5": 274, "FileHash-SHA1": 252, "FileHash-SHA256": 3378, "email": 11, "hostname": 2753, "CVE": 1, "SSLCertFingerprint": 9, "IPv6": 32 }, "indicator_count": 15049, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f100d791f9f9f6ab7b4f24", "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver", "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again. Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum & Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET. \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator", "modified": "2024-10-23T05:03:21.045000", "created": "2024-09-23T05:47:03.625000", "tags": [ "isp charter", "usage type", "fixed line", "isp hostname", "domain name", "country united", "america city", "denver", "colorado", "ip address", "whois", "check", "information isp", "inc usage", "type fixed", "line isp", "hostname", "plesk forum", "centos web", "panel forum", "whois lookup", "netrange", "nethandle", "net107", "net1070000", "cc3517", "inc orgid", "dr city", "stateprov", "postalcode", "status", "as7843 charter", "united", "name servers", "passive dns", "urls", "domain", "search", "emails", "unknown", "scan endpoints", "all scoreblue", "ipv4", "files", "reverse dns", "location united", "win32", "abuseipdb", "read", "write", "read c", "server header", "show", "suspicious", "kelihos", "trojan", "artemis", "virustotal", "download", "drweb", "vipre", "panda", "malware", "specified", "next", "et trojan", "et info", "medium", "http", "ids detections", "yara detections", "e98c1cec8156", "as11426 charter", "as20001 charter", "as11427 charter", "as11351 charter", "as16787 charter", "as33363 charter", "as20115 charter", "as10796 charter", "as12271 charter", "body", "servers", "all search", "entries", "intel", "ms windows", "windows nt", "destination", "port", "asnone", "heurunsec", "etpro trojan", "nxdomain", "a nxdomain", "aaaa", "asnone united", "aaaa nxdomain", "backdoor", "pulse submit", "url analysis", "location oxford", "as3456 charter", "moved", "showing", "body doctype", "html public", "ietfdtd html", "as6976 verizon", "as701 verizon", "file samples", "files matching", "date hash", "copyright", "levelblue", "related pulses", "pulse pulses", "kryptikpii", "msr apr", "date", "creation date", "analyzer paste", "iocs", "samples", "secure server", "cname", "as5742", "body head", "object moved", "content length", "content type", "cookie", "as15133 verizon", "lowfi", "gmt server", "ecacc", "record value", "oxford", "michigan", "ns nxdomain", "soa nxdomain", "url http", "mitre att", "evasion ta0005", "creates", "discovery t1082", "reads software", "file", "t1083 reads", "jujubox", "zenbox", "get http", "request", "host", "win64", "khtml", "gecko", "response", "cus cndigicert", "tls rsa", "user", "javascript c", "doscom c", "text c", "files c", "storage", "file system", "filesadobe c", "appdata", "appdatalocal", "hostnames", "ta0002 command", "t1059 very", "t1064", "javascript", "modules t1129", "ta0003 create", "modify system", "process t1543", "windows service", "cisco umbrella", "blacklist", "safe site", "filerepmalware", "microsoft", "phishing bank", "sgeneric", "malware site", "unsafe", "number", "cus cngts", "ogoogle trust", "subject", "algorithm", "cus ouserver", "ouserver ca", "record type", "ttl value", "msms86718722", "query", "open", "capa", "create process", "windows create", "delete file", "write file", "windows check", "os version", "enumerate", "hashes", "signals mutexes", "mutexes", "open threat", "location los", "emails info", "expiration date", "write c", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "as51167 contabo", "germany unknown", "as40021 contabo", "encrypt", "hosting", "netherlands asn", "as204601 zomro", "pulses", "tags", "related tags", "indicator facts", "historical otx", "files ip", "asnone germany", "as174 cogent", "czechia unknown", "whitelisted", "certificate", "bittorrent dht", "post http", "et p2p", "cryptexportkey", "invalid pointer", "delete c", "post utcore", "benchhttp", "mozilla", "maldoc", "service", "tools", "nids", "et", "x95xd3xa4", "regbinary", "hx88x89", "kx82xd3x11", "xb9x8b", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "stream", "persistence", "execution", "dynamicloader", "contacted", "domains", "yara rule", "high", "dynamic", "pcap", "pushdo", "msie", "activity beacon", "malware beacon", "default", "redacted for", "for privacy", "as3379 kaiser", "server", "gmt content", "type", "x frame", "entries http", "scans show", "domain related", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "components", "zune", "etpro", "nod32", "avast avg", "next http", "example domain", "title meta", "invalid url", "akamai", "urls http", "as20940", "as16625 akamai", "netherlands", "germany", "france", "virtool", "rock", "address", "apache", "accept", "as8075", "pulse http", "related nids", "files location", "moldova related", "pulses none", "as31898 oracle", "title", "kryptiklfq", "win32dh", "vitro", "shutdown", "erase", "find", "close", "as53418", "hat server", "as797 att", "script urls", "a domains", "as10753 level", "script script", "meta", "path", "null", "stop", "as54113", "chrome", "as7018 att", "as28521", "mexico unknown", "fastly error", "please", "sea p", "object", "set cookie", "pragma", "as19536 directv", "united kingdom", "as60664 xion", "trojan features", "moldova unknown", "susp", "breaking news", "business", "finance", "entertainment", "sports", "games", "trending videos", "weather", "home", "as396982 google", "url https", "type indicator", "role title", "added active", "cyberfolks", ".pl", "level 3" ], "references": [ "ISP: Charter Communications Inc Usage Type\tFixed Line ISP", "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA", "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.", "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com", "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e", "IDS Detections: Suspicious double Server Header Possible Kelihos", "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header", "telemetry-incoming.r53-2.services.mozilla.com", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "http://www.door.net/ARISBE/arisbe.htm", "talk.plesk.com | 4evermusic.pl | nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov", "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Hungary", "Ukraine", "Spain", "Brazil", "Russian Federation", "Moldova, Republic of", "Japan", "Ireland", "Luxembourg", "Canada" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Cerber Ransomware", "display_name": "Cerber Ransomware", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Inject3.QGY", "display_name": "Inject3.QGY", "target": null }, { "id": "Kelihos", "display_name": "Kelihos", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2060, "hostname": 3067, "CIDR": 4, "URL": 1300, "email": 29, "FileHash-MD5": 3181, "FileHash-SHA1": 1994, "FileHash-SHA256": 3228, "CVE": 2, "SSLCertFingerprint": 1 }, "indicator_count": 14866, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "538 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "808 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707dfb9f84eebbe3bdfe59", "name": "Pegasus and Friends 2 - all touch by Pegasus or Variant in some way or another", "description": "", "modified": "2023-12-06T13:58:18.607000", "created": "2023-12-06T13:58:18.607000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1207, "domain": 312, "hostname": 1198, "URL": 3217, "FileHash-MD5": 3 }, "indicator_count": 5937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620844f08a0cd181e13a81c0", "name": "Pegasus and Friends 2 - all touch by Pegasus or Variant in some way or another", "description": "", "modified": "2022-03-15T00:00:20.682000", "created": "2022-02-12T23:38:24.616000", "tags": [ "whois record", "ssl certificate", "whois whois", "whois", "pegasus", "spyware" ], "references": [ "https://pastebn.com/Q9qWTKsM", "https://pastebn.com/Q9qWTKsM/", "Graph by nilaymistry30", "https://www.virustotal.com/graph/g1143d9441bce4ab3b427b7bace69140516650b053aa4470584248657edc53ef3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3217, "hostname": 1198, "domain": 312, "FileHash-SHA256": 1207, "FileHash-MD5": 3 }, "indicator_count": 5937, "is_author": false, "is_subscribing": null, "subscriber_count": 402, "modified_text": "1491 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mozilla.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mozilla.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776208902.0766826 }