{ "type": "Domain", "indicator": "myeffect.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/myeffect.net", "alexa": "http://www.alexa.com/siteinfo/myeffect.net", "indicator": "myeffect.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4900, "indicator": "myeffect.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6998f7aa0bbea2bda9d216b5", "name": "no-ip", "description": "", "modified": "2026-05-18T20:26:39.259000", "created": "2026-02-21T00:09:14.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c76a410bca940a8cb84f91", "name": "Remote Access - Dynamic DNS | Injection", "description": "Blamed for Botnet exchange, Ddos, ssh, email spamming, brute forcing emails, sending viruses/trojans to countless emails, injection, app installation, gov , bank employee targeting, etc. Listed ALL victim information in downed WikiLeaks website.The list is long, Swipper is still a mystery. The name has been linked to an IT graduate. This doesn't mean much as hackers frame everyone. The [person or links to does link back to subject of hacks against a targeted person. When target researched Swipper EVERYTHING related was cleaned from the Internet.\n\nThe best clue deleted was for IP's in the 152.199.0.0/24 Block. \nThe other was used by Brian Sabey who used service to distribute So much porn (and worse) all with targets name! It was a 'hopto' N\u2205 IP address. It disappeared so fast along with any trace.", "modified": "2024-09-21T14:04:09.409000", "created": "2024-08-22T16:41:37.285000", "tags": [ "referrer", "nanocore rat", "hunting guide", "your apt", "malware", "bitter apt", "using zxxz", "backdoor", "pakistan public", "committee", "ukraine", "maxage7200", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic dns", "access", "html info", "title remote", "ddns account", "meta tags", "ip address", "trackers amazon", "tag manager", "cookies noipbid", "netrange", "nethandle", "net152", "net1520000", "as1321", "inc orgid", "loudoun county", "parkway city", "postalcode", "content", "utc google", "gtmvfgb", "utc ggg8ybn7flc", "gg8ybn7flc", "samples", "no data", "tag count", "analyzer threat", "ip summary", "summary", "detection list", "heur", "malicious site", "malicious host", "services", "exchange botnet", "command", "control server", "host", "azorult", "pony", "asyncrat", "cobalt strike", "phishing", "team", "dropper", "crypt", "outbreak", "mimikatz", "riskware", "trojanx", "cisco umbrella", "site", "safe site", "redline stealer", "generic pua", "malware site", "utorrent", "generic", "yakes", "agent", "adposhel", "zbot", "cl0p", "managed dns", "strong", "noip", "please", "buy plus", "managed", "free", "service", "already", "read c", "dll read", "function read", "medium", "systemroot", "search", "high", "smtp host", "virustotal", "trojan", "write", "drweb", "vipre", "panda", "phishing", "ransomware", "rat", "swipper", "swipp9", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "ukgbagaqcq", "jid1886833764", "jid882556742", "unknown", "as36947", "algeria unknown", "germany unknown", "as37340", "nigeria unknown", "united kingdom", "as200350", "france unknown", "date", "z557338487", "z129433407", "z2111579734", "name servers", "passive dns", "as14627", "scan endpoints", "all scoreblue", "next", "aaaa", "asnone united", "moved", "certificate", "rsa ca", "ipv4", "pulse pulses", "win32", "process32nextw", "onlogon ru", "discovery", "t1057", "discovery t1057", "windows", "post http", "actionhello", "delphi", "dock", "memcommit", "writeconsolea", "nat monitor", "f tn", "delete c", "write c", "create c", "autoit", "look", "suspicious", "as9009 m247", "sri lanka", "domain", "creation date", "hungary unknown", "as36352", "files", "hosting", "reverse dns", "all search", "otx scoreblue", "hostname", "pulse submit", "url analysis", "status", "mtb sep", "record value", "servers", "gmt server", "pecancer", "as15169 google", "mtb apr", "open ports", "trojandropper", "gmt cache", "cashreminder", "philadelphia", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "nxdomain", "a nxdomain", "encrypt", "body", "present mar", "emails", "domain name", "expiration date", "error", "code", "location united", "united states", "malicious.75188e", "united", "icmp traffic", "pe section", "low software", "packing t1045", "t1045", "pe resource", "filehash", "ireland unknown", "as396982 google", "belgium unknown", "as24940 hetzner", "trojan process", "file samples", "files matching", "show", "date hash", "worm features", "related pulses", "malware process", "trojan features", "brute force", "brute forcing emails", "hacking", "logan utah", "ddos attack", "web app attacks", "bad web bot", "cwaf", "verizon enterprise" ], "references": [ "Title: The page title. Remote Access - Dynamic DNS - Create a Free DDNS Account Now - No-IP", "http://hopto.org/colocrossing/192.3.13.56/telco", "N\u2205 IP: https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "SLF:Trojan:Win32/Grandoreiro.A - FILEHASH - SHA256 5253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07", "FILEHASH - SHA256 253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07 | IP\u2019s Contacted: 34.117.59.81", "Malicious Antivirus Detections SLF:Trojan:Win32/Grandoreiro.A Yara Detections md5_constants , Delphi ,", "IDS Defections: Possible Cerber Ransomware IP Check Possible ET INFO RealThinClient Session Init", "IDS Defections: Possible External IP Lookup ipinfo.io DNS Query to DynDNS Domain *.ddns .me", "Alerts: network_icmp antianalysis_detectfile antidbg_windows antivm_generic_scsi", "Alerts: sysinternals_tools_usage antivm_vmware_in_instruction persistence_autorun", "Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "Malware.Nymeria-6993588-0: FileHash-SHA256 9dddb78cec49c05f2bec6f2583e4d8a663435f5a265a09a5966d5d4bfa866761", "NanoCore RAT CnC 7 : FileHash-SHA256 0031cb925e76f801a0ca2ebbc32029be927687f0d6183777be917878ffd7cd4b", "CVE-2023-23397 | scanning_host IPv4 158.247.7.206 scanning_host IP's: 192.3.13.56 158.247.7.206", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001 Loudoun County Pkwy.", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001", "Is Swipper: pool-70-21-23-161.washdc.fios.verizon.net", "SWIPPER - IP: 152.199.161.19 ISP Edgecast Inc. Content Delivery Network Domain Name edgecast.com Los Angeles, California", "SWIPPER - IP: 152.199.161.19 - Florence, Co related", "SWIPPER - ISP: WS/Acs Inc/Acs Usage Type:University/College/School Domain Name: acs-inc.com Pittsburgh, Pennsylvania", "SWIPPER Behavior: Brute-Force Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc.", "SWIPPER Behavior: Category is seperate from DDoS attacks. Bad Web Bot Web App Attack", "Confirmed Malware: Cl0p QVM41.1.083F.Malware SLF:Trojan:Win32/Grandoreiro VirTool:Win32/Injector", "Confirmed Malware: Trojan:Win/Zombie Trojan:Win32/AutoitInject Trojan:Win32/Glupteba Trojan:Win32/QQpass", "Confirmed Malware: Trojan:Win32/Zbot TrojanDropper:Win32/Muldrop Worm:Win32/Mofksys", "Command and Control: 208.95.112.1 | 34.154.67.14", "https://www.colocrossing.com/", "American Registry for Internet Numbers (ARIN) http://www.arin.net \u203a cgi-bin \u203a Who is RWS", "https://whois.arin.net/rest/net/NET-71-96-0-0-1/pft?s=71.106.106.47" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro", "display_name": "SLF:Trojan:Win32/Grandoreiro", "target": null }, { "id": "QVM41.1.083F.Malware", "display_name": "QVM41.1.083F.Malware", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win/Zombie", "display_name": "Trojan:Win/Zombie", "target": "/malware/Trojan:Win/Zombie" }, { "id": "Trojan:Win32/AutoitInject", "display_name": "Trojan:Win32/AutoitInject", "target": "/malware/Trojan:Win32/AutoitInject" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1098.002", "name": "Exchange Email Delegate Permissions", "display_name": "T1098.002 - Exchange Email Delegate Permissions" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Technology", "Telecommunications", "Civilian Society", "Any" ], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 546, "FileHash-MD5": 1677, "FileHash-SHA1": 1288, "FileHash-SHA256": 1385, "CVE": 1, "domain": 404, "hostname": 591, "CIDR": 3, "email": 12 }, "indicator_count": 5907, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c66114103f15aab3b00d6c", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:12.543000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ca37ac60cb425a2b3856c6", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-24T19:42:36.642000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66c66114103f15aab3b00d6c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d4b052225d396d18e395c3", "name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-09-01T18:20:02.256000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "CVE-2023-23397 | scanning_host IPv4 158.247.7.206 scanning_host IP's: 192.3.13.56 158.247.7.206", "Alerts: network_icmp antianalysis_detectfile antidbg_windows antivm_generic_scsi", "Confirmed Malware: Trojan:Win32/Zbot TrojanDropper:Win32/Muldrop Worm:Win32/Mofksys", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001 Loudoun County Pkwy.", "152.199.171.19 : USDA Fort Collins, Colorado", "IDS Defections: Possible Cerber Ransomware IP Check Possible ET INFO RealThinClient Session Init", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "http://appleidi-iforgot.3utilities.com/Verify.php", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Yara Detections: osx_GoLang", "Alerts: sysinternals_tools_usage antivm_vmware_in_instruction persistence_autorun", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Malware.Nymeria-6993588-0: FileHash-SHA256 9dddb78cec49c05f2bec6f2583e4d8a663435f5a265a09a5966d5d4bfa866761", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Is Swipper: pool-70-21-23-161.washdc.fios.verizon.net", "https://www.colocrossing.com/", "N\u2205 IP: https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "https://whois.arin.net/rest/net/NET-71-96-0-0-1/pft?s=71.106.106.47", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "NanoCore RAT CnC 7 : FileHash-SHA256 0031cb925e76f801a0ca2ebbc32029be927687f0d6183777be917878ffd7cd4b", "SLF:Trojan:Win32/Grandoreiro.A - FILEHASH - SHA256 5253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Command and Control: 208.95.112.1 | 34.154.67.14", "SWIPPER - IP: 152.199.161.19 - Florence, Co related", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "SWIPPER - ISP: WS/Acs Inc/Acs Usage Type:University/College/School Domain Name: acs-inc.com Pittsburgh, Pennsylvania", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Title: The page title. Remote Access - Dynamic DNS - Create a Free DDNS Account Now - No-IP", "SWIPPER Behavior: Brute-Force Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc.", "Confirmed Malware: Trojan:Win/Zombie Trojan:Win32/AutoitInject Trojan:Win32/Glupteba Trojan:Win32/QQpass", "152.199.161.19: ANS Communications, Inc (ANS)", "Confirmed Malware: Cl0p QVM41.1.083F.Malware SLF:Trojan:Win32/Grandoreiro VirTool:Win32/Injector", "American Registry for Internet Numbers (ARIN) http://www.arin.net \u203a cgi-bin \u203a Who is RWS", "FILEHASH - SHA256 253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07 | IP\u2019s Contacted: 34.117.59.81", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "SWIPPER - IP: 152.199.161.19 ISP Edgecast Inc. Content Delivery Network Domain Name edgecast.com Los Angeles, California", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "http://hopto.org/colocrossing/192.3.13.56/telco", "Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "IDS Defections: Possible External IP Lookup ipinfo.io DNS Query to DynDNS Domain *.ddns .me", "Malicious Antivirus Detections SLF:Trojan:Win32/Grandoreiro.A Yara Detections md5_constants , Delphi ,", "SWIPPER Behavior: Category is seperate from DDoS attacks. Bad Web Bot Web App Attack" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan:win/zombie", "Worm:win32/mofksys", "Virtool:win32/injector", "Slf:trojan:win32/grandoreiro.a", "Trojan:win32/glupteba", "Slf:trojan:win32/grandoreiro", "Trojan:win32/qqpass", "Other:malware-gen\\ [trj]", "Trojandropper:win32/muldrop", "Win.trojan.emotet-9951800-0", "Trojan:win32/zbot", "Qvm41.1.083f.malware", "Trojan:win32/autoitinject", "Cl0p" ], "industries": [ "Any", "Telecommunications", "Technology", "Civilian society" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6998f7aa0bbea2bda9d216b5", "name": "no-ip", "description": "", "modified": "2026-05-18T20:26:39.259000", "created": "2026-02-21T00:09:14.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d332d77a7eedf3ad71c406", "name": "Denizbankk.net \u2022 LevelBlue - Open Threat Exchange", "description": "Denizbankk.net \u2022 Debian.org \u2022 hallrender.com \u2022 alienvault.com \u2022 hopto.org \u2022 striven.com| ? | This is concerning. It\u2019s not like intended to find what I have found but I am disappointed. The few people on the platform who do their own research eventually leave with a large amount of reposters. Related to haallrendee, brian sabey and each link listed. Stange happenings this weak. [otx auto populated- Google Safe Browsing, Denizbankk.net, has been used by the Russian government to create a secure web address that can be accessed only if the user has the correct address.{", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-23T23:52:55.453000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d3368ae75cccf736a55441", "name": "ET TROJAN Hiloti/Mufanom Downloader Checkin | Denizbankk.net", "description": "", "modified": "2025-10-23T23:03:23.167000", "created": "2025-09-24T00:08:42.048000", "tags": [ "log id", "gmtn", "tls web", "zerossl", "zerossl rsa", "domain secure", "site ca", "fa c7", "ocsp", "a167", "code", "keepalive", "false", "record type", "ttl a", "value", "o jarm", "fingerprint", "file format", "relevance", "united", "tempe", "arizona create", "domain", "expiry date", "name", "query time", "technical city", "tempe technical", "technical state", "rdap database", "handle", "iana registrar", "links", "algorithm", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl rsa", "validity", "server", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "available from", "country", "proxy", "postal code", "city", "admin city", "tempe admin", "filehashmd5", "url https", "filehashsha1", "url http", "type indicator", "role title", "added active", "related pulses", "filehashsha256", "showing", "germany unknown", "passive dns", "entries", "a domains", "body doctype", "content type", "gmt server", "ipv4 add", "pulse submit", "url analysis", "main", "apache", "accept", "title", "present dec", "present jun", "present nov", "aaaa", "present feb", "present sep", "search", "canada", "encrypt", "devam", "ad soyad", "mteri numaras", "gvenlik iin", "gizli soru", "gvenlik sorusu", "cevab", "ltfen bir", "present may", "moved", "present oct", "ip address", "gandi sas", "body", "backdoor", "next associated", "trojandropper", "fastly error", "please", "sea p", "twitter", "win32", "creation date", "name servers", "hostname add", "pulse pulses", "urls", "record value", "japan", "germany", "ipv4", "countries", "america", "netherlands", "italy", "brian sabey", "report spam", "tsara brashears", "created", "days ago", "green well", "sabey stash", "service", "hours ago", "malicious", "forbidden", "actionlistccc", "malware family", "mufanom att", "capture", "ck ids", "checkin", "t1036", "t1055", "injection", "t1056" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": "68d332d77a7eedf3ad71c406", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 617, "URL": 2495, "hostname": 1698, "FileHash-MD5": 275, "FileHash-SHA1": 265, "FileHash-SHA256": 1241, "SSLCertFingerprint": 2, "email": 4 }, "indicator_count": 6597, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb1585832bcf4f494f0335", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Bridging", "description": "", "modified": "2024-10-20T13:04:44.866000", "created": "2024-09-18T18:01:41.013000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4635, "domain": 771, "email": 11, "hostname": 1993, "FileHash-SHA256": 3185, "FileHash-MD5": 113, "FileHash-SHA1": 101, "CVE": 3 }, "indicator_count": 10814, "is_author": false, "is_subscribing": null, "subscriber_count": 236, "modified_text": "590 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c76a410bca940a8cb84f91", "name": "Remote Access - Dynamic DNS | Injection", "description": "Blamed for Botnet exchange, Ddos, ssh, email spamming, brute forcing emails, sending viruses/trojans to countless emails, injection, app installation, gov , bank employee targeting, etc. Listed ALL victim information in downed WikiLeaks website.The list is long, Swipper is still a mystery. The name has been linked to an IT graduate. This doesn't mean much as hackers frame everyone. The [person or links to does link back to subject of hacks against a targeted person. When target researched Swipper EVERYTHING related was cleaned from the Internet.\n\nThe best clue deleted was for IP's in the 152.199.0.0/24 Block. \nThe other was used by Brian Sabey who used service to distribute So much porn (and worse) all with targets name! It was a 'hopto' N\u2205 IP address. It disappeared so fast along with any trace.", "modified": "2024-09-21T14:04:09.409000", "created": "2024-08-22T16:41:37.285000", "tags": [ "referrer", "nanocore rat", "hunting guide", "your apt", "malware", "bitter apt", "using zxxz", "backdoor", "pakistan public", "committee", "ukraine", "maxage7200", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic dns", "access", "html info", "title remote", "ddns account", "meta tags", "ip address", "trackers amazon", "tag manager", "cookies noipbid", "netrange", "nethandle", "net152", "net1520000", "as1321", "inc orgid", "loudoun county", "parkway city", "postalcode", "content", "utc google", "gtmvfgb", "utc ggg8ybn7flc", "gg8ybn7flc", "samples", "no data", "tag count", "analyzer threat", "ip summary", "summary", "detection list", "heur", "malicious site", "malicious host", "services", "exchange botnet", "command", "control server", "host", "azorult", "pony", "asyncrat", "cobalt strike", "phishing", "team", "dropper", "crypt", "outbreak", "mimikatz", "riskware", "trojanx", "cisco umbrella", "site", "safe site", "redline stealer", "generic pua", "malware site", "utorrent", "generic", "yakes", "agent", "adposhel", "zbot", "cl0p", "managed dns", "strong", "noip", "please", "buy plus", "managed", "free", "service", "already", "read c", "dll read", "function read", "medium", "systemroot", "search", "high", "smtp host", "virustotal", "trojan", "write", "drweb", "vipre", "panda", "phishing", "ransomware", "rat", "swipper", "swipp9", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "ukgbagaqcq", "jid1886833764", "jid882556742", "unknown", "as36947", "algeria unknown", "germany unknown", "as37340", "nigeria unknown", "united kingdom", "as200350", "france unknown", "date", "z557338487", "z129433407", "z2111579734", "name servers", "passive dns", "as14627", "scan endpoints", "all scoreblue", "next", "aaaa", "asnone united", "moved", "certificate", "rsa ca", "ipv4", "pulse pulses", "win32", "process32nextw", "onlogon ru", "discovery", "t1057", "discovery t1057", "windows", "post http", "actionhello", "delphi", "dock", "memcommit", "writeconsolea", "nat monitor", "f tn", "delete c", "write c", "create c", "autoit", "look", "suspicious", "as9009 m247", "sri lanka", "domain", "creation date", "hungary unknown", "as36352", "files", "hosting", "reverse dns", "all search", "otx scoreblue", "hostname", "pulse submit", "url analysis", "status", "mtb sep", "record value", "servers", "gmt server", "pecancer", "as15169 google", "mtb apr", "open ports", "trojandropper", "gmt cache", "cashreminder", "philadelphia", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown", "nxdomain", "a nxdomain", "encrypt", "body", "present mar", "emails", "domain name", "expiration date", "error", "code", "location united", "united states", "malicious.75188e", "united", "icmp traffic", "pe section", "low software", "packing t1045", "t1045", "pe resource", "filehash", "ireland unknown", "as396982 google", "belgium unknown", "as24940 hetzner", "trojan process", "file samples", "files matching", "show", "date hash", "worm features", "related pulses", "malware process", "trojan features", "brute force", "brute forcing emails", "hacking", "logan utah", "ddos attack", "web app attacks", "bad web bot", "cwaf", "verizon enterprise" ], "references": [ "Title: The page title. Remote Access - Dynamic DNS - Create a Free DDNS Account Now - No-IP", "http://hopto.org/colocrossing/192.3.13.56/telco", "N\u2205 IP: https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "SLF:Trojan:Win32/Grandoreiro.A - FILEHASH - SHA256 5253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07", "FILEHASH - SHA256 253cfaec7456b9fe440ab25207b8e1ff948b04fc2f2f34befc2354bf4431d07 | IP\u2019s Contacted: 34.117.59.81", "Malicious Antivirus Detections SLF:Trojan:Win32/Grandoreiro.A Yara Detections md5_constants , Delphi ,", "IDS Defections: Possible Cerber Ransomware IP Check Possible ET INFO RealThinClient Session Init", "IDS Defections: Possible External IP Lookup ipinfo.io DNS Query to DynDNS Domain *.ddns .me", "Alerts: network_icmp antianalysis_detectfile antidbg_windows antivm_generic_scsi", "Alerts: sysinternals_tools_usage antivm_vmware_in_instruction persistence_autorun", "Yara Detections: XOR_embeded_exefile_xored_with_round_256_bytes_key", "Malware.Nymeria-6993588-0: FileHash-SHA256 9dddb78cec49c05f2bec6f2583e4d8a663435f5a265a09a5966d5d4bfa866761", "NanoCore RAT CnC 7 : FileHash-SHA256 0031cb925e76f801a0ca2ebbc32029be927687f0d6183777be917878ffd7cd4b", "CVE-2023-23397 | scanning_host IPv4 158.247.7.206 scanning_host IP's: 192.3.13.56 158.247.7.206", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001 Loudoun County Pkwy.", "Whois-RWS ; Name, SWIPPER ; Handle, SWIPP9-ARIN ; Company, Verizon ; Street, 22001", "Is Swipper: pool-70-21-23-161.washdc.fios.verizon.net", "SWIPPER - IP: 152.199.161.19 ISP Edgecast Inc. Content Delivery Network Domain Name edgecast.com Los Angeles, California", "SWIPPER - IP: 152.199.161.19 - Florence, Co related", "SWIPPER - ISP: WS/Acs Inc/Acs Usage Type:University/College/School Domain Name: acs-inc.com Pittsburgh, Pennsylvania", "SWIPPER Behavior: Brute-Force Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc.", "SWIPPER Behavior: Category is seperate from DDoS attacks. Bad Web Bot Web App Attack", "Confirmed Malware: Cl0p QVM41.1.083F.Malware SLF:Trojan:Win32/Grandoreiro VirTool:Win32/Injector", "Confirmed Malware: Trojan:Win/Zombie Trojan:Win32/AutoitInject Trojan:Win32/Glupteba Trojan:Win32/QQpass", "Confirmed Malware: Trojan:Win32/Zbot TrojanDropper:Win32/Muldrop Worm:Win32/Mofksys", "Command and Control: 208.95.112.1 | 34.154.67.14", "https://www.colocrossing.com/", "American Registry for Internet Numbers (ARIN) http://www.arin.net \u203a cgi-bin \u203a Who is RWS", "https://whois.arin.net/rest/net/NET-71-96-0-0-1/pft?s=71.106.106.47" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "SLF:Trojan:Win32/Grandoreiro", "display_name": "SLF:Trojan:Win32/Grandoreiro", "target": null }, { "id": "QVM41.1.083F.Malware", "display_name": "QVM41.1.083F.Malware", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "Trojan:Win32/Zbot", "display_name": "Trojan:Win32/Zbot", "target": "/malware/Trojan:Win32/Zbot" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win/Zombie", "display_name": "Trojan:Win/Zombie", "target": "/malware/Trojan:Win/Zombie" }, { "id": "Trojan:Win32/AutoitInject", "display_name": "Trojan:Win32/AutoitInject", "target": "/malware/Trojan:Win32/AutoitInject" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1098.002", "name": "Exchange Email Delegate Permissions", "display_name": "T1098.002 - Exchange Email Delegate Permissions" }, { "id": "T1460", "name": "Biometric Spoofing", "display_name": "T1460 - Biometric Spoofing" }, { "id": "T1205.001", "name": "Port Knocking", "display_name": "T1205.001 - Port Knocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Technology", "Telecommunications", "Civilian Society", "Any" ], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 546, "FileHash-MD5": 1677, "FileHash-SHA1": 1288, "FileHash-SHA256": 1385, "CVE": 1, "domain": 404, "hostname": 591, "CIDR": 3, "email": 12 }, "indicator_count": 5907, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c661131c5003925e9bfe15", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:11.612000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c66114103f15aab3b00d6c", "name": "Telco - Swipper | Emoted and other malware spreader. BGP related ?", "description": "I'm not sure what to make of this. I'm unnerved. As far back as I have been able to research, Swipper has been ever present, not even hiding in the attacks target who noticed this for themselves.Some information is no longer on the Internet , yet there are continuous command multiple IP's. This relates directly to the suspect hacker & co. Use of FreeDNS and many other tools related to this resource with the Net Handle Name: Swipper. It's seems to be prominent on Colorado, Ohio Constantly moving to the British Virgin Islands while having am Ashburn, Va [Loudon, Co]- Verizon Business address ont he MCI block [FBI nearby] Swipper was connected to targets Notepad for years,; with FBI name and address prominently displayed. Mysterious emails, and false MD referral locations of victim pointed back to a Swipper or Stephen Middleton IP address. It's always has a variant of Emotet. I don't know. Abuse of use by same attorney.", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-21T21:50:12.543000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ca37ac60cb425a2b3856c6", "name": "Telco - Swipper | Emotet and other malware spreader. BGP Hurricane Electric related ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-08-24T19:42:36.642000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66c66114103f15aab3b00d6c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d4b052225d396d18e395c3", "name": " Telco - SWIPPER | Emotet and other malware spreader. BGP Hurricane Electric ", "description": "", "modified": "2024-09-20T20:04:19.210000", "created": "2024-09-01T18:20:02.256000", "tags": [ "net152", "net1520000", "loudoun county", "ans core", "nethandle", "as1321", "parkway city", "as701 orgnocref", "swipper", "verizon", "high", "intel", "icmp traffic", "dns query", "object", "all scoreblue", "filehash", "malware", "comcast", "cve1102", "actors", "investigation", "bad domains", "emotet am", "iocs", "first", "utc submissions", "submitters", "summary iocs", "graph community", "webcc", "gmo internet", "csc corporate", "domains", "alibaba cloud", "computing", "beijing", "dynadot", "ltd dba", "china telecom", "group", "google", "cloudflarenet", "kb txtresse", "mb smartsaver", "admin cmd", "mb threatsniper", "mb history", "mb gadget", "installer", "referrer", "styes worm", "historical ssl", "script script", "i span", "ie script", "win64", "span", "urls", "levelblue labs", "pulses", "nastya", "meta", "open", "date", "vj92", "uagdaaeqcqaaaag", "ukgbagaqcqaaaae", "slfrd1", "hostnames", "urls http", "ukgbagaqcq", "jid1886833764", "jid882556742", "samples", "unknown", "united", "as20940", "as2914 ntt", "nxdomain", "status", "as6461 zayo", "united kingdom", "as15169 google", "as33438", "search", "creation date", "name servers", "showing", "hungary unknown", "entries", "scan endpoints", "next", "cape", "show", "copy", "emotet malware", "read", "write", "delete", "june", "emotet", "as14627", "passive dns", "ipv4", "pulse pulses", "win32", "months ago", "created", "modified", "email", "glupteba", "hostname", "cyber", "read c", "port", "medium", "msie", "windows nt", "wow64", "slcc2", "media center", "dock", "execution", "method status", "url hostname", "ip country", "type get", "cachecontrol", "location https", "date thu", "gmt server", "code", "ve234 server", "aaaa", "whitelisted", "as44273 host", "as46691", "domain", "script urls", "path max", "age86400 set", "cookie", "script domains", "trojan", "body" ], "references": [ "Stranger Things | http://hopto.org/colocrossing/192.3.13.56/telco", "Antivirus Detections: Other:Malware-gen\\ [Trj]", "Yara Detections: UPXProtectorv10x2 , UPX Alerts dead_host network_icmp nolookup_communication", "Antivirus Detections: Other:Malware-gen\\ [Trj] , Win.Trojan.Emotet-9951800-0", "Yara Detections: osx_GoLang", ".trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net\tprojecthilo.net", "0-courier.push.apple.com | https://apple-accouut.sytes.net/ | appupdate-logapple.ddnsking.com | appleidi-iforgot.3utilities.com", "http://appleidi-iforgot.3utilities.com/\t | https://appupdate-logapple.ddnsking.com/?reset | http://appleidi-iforgot.3utilities.com/Upload-Identity.php |", "http://appleidi-iforgot.3utilities.com/Verify.php", "device-ccf717a6-ed4f-4771-abfa-ccaafbfb6526.remotewd.com | device-local-359704df-0b29-4ae8-bbc5-f48b0a4de73c.remotewd.com | remotedev.org | dan.remotedev.org", "152.199.171.19 : USDA Fort Collins, Colorado", "Swipper: swipper@verizonbusiness.com | help4u@verizonbusiness.com", "152.199.161.19: ANS Communications, Inc (ANS)", "OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: +1-800-900-0241 OrgTechEmail: swipper@verizonbusiness.com", "http://bat.bing.com/bat.js | bounceme.net | bounceme.net | hopto.org | hopto.org |,serveblog.net | serveblog.net", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://hopto.org/colocrossing/192.3.13.56/telco", "Emotet: FileHash-SHA256 9c9459e9a5f0102c034ec013b9d801d38ed474bcd73b7aeded931e5c2a4f75cc", "Win.Virus.PolyRansom-5704625-0: FileHash-SHA256 f46de5d0c5dd13f5de6114372542efd1ea048e14f051b64b34c33e96c175cb09", "Other:Malware-gen\\ [Trj: FileHash-SHA256 4ef29fd29fd95990a36379ad7a4320f04da64e7ec63546e047e2491e533c71a3", "Injection Source: www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: http://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Injection Source: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SLF:Trojan:Win32/Grandoreiro.A", "display_name": "SLF:Trojan:Win32/Grandoreiro.A", "target": null }, { "id": "Other:Malware-gen\\ [Trj]", "display_name": "Other:Malware-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.Emotet-9951800-0", "display_name": "Win.Trojan.Emotet-9951800-0", "target": null }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "66ca37ac60cb425a2b3856c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 4338, "domain": 753, "email": 9, "hostname": 1799, "FileHash-SHA256": 3098, "FileHash-MD5": 110, "FileHash-SHA1": 98, "CVE": 3 }, "indicator_count": 10210, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "myeffect.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "myeffect.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780433784.5894265 }