{ "type": "Domain", "indicator": "namequery.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/namequery.com", "alexa": "http://www.alexa.com/siteinfo/namequery.com", "indicator": "namequery.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #2149", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain namequery.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3095842450, "indicator": "namequery.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 36, "pulses": [ { "id": "69b9380613f88eec31f8a2e6", "name": "What an odd registrant name. Who teaches here.. hmm", "description": ": Cambridge\nAdministrative country: United States\nAdministrative email: 775cc83f56a3b4e7s@mit.edu\nAdministrative state: MA\nBilling city: Cambridge\nBilling country: United States\nBilling email: 3c3d334158ebfea1s@mit.edu\nBilling state: MA\nCreate date: 1985-05-23 00:00:00\nDomain name: mit.edu\nDomain registrar id: 0.0\nDomain registrar url: whois.educause.edu\nExpiry date: 2026-07-31 00:00:00\nQuery time: 2026-01-15 06:12:15\nRegistrant address: 30df1aef753261ef\nRegistrant city: 85ce83927452d906\nRegistrant country: United States\nRegistrant name: c0a6a961a5aefb99\nRegistrant state: 36e414cc8874c746\nRegistrant zip: 077f5ed532d03f34\nTechnical city: Cambridge\nTechnical country: United States\nTechnical email: 3c3d334158ebfea1s@mit.edu\nTechnical state: MA\nUpdate date: 2026-01-15 00:00:00", "modified": "2026-04-16T12:28:09.524000", "created": "2026-03-17T11:16:22.723000", "tags": [ "united", "ma billing", "billing email", "billing state", "ma create", "domain", "expiry date", "registrant name", "technical email", "technical state" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 856, "email": 38, "hostname": 895, "FileHash-SHA1": 156, "FileHash-MD5": 157, "FileHash-SHA256": 1788, "URL": 489, "SSLCertFingerprint": 4 }, "indicator_count": 4383, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf28b12d7a596c87296dee", "name": "Free SAS US Based", "description": "All images are copyrighted. \u00c2\u00a9\u00a9 Getty Images, AP, EPA, Reuters, GettyImages, AFP and Reuters / Getty images, except for those who have not had access to them.", "modified": "2026-04-04T09:58:27.635000", "created": "2026-04-03T02:40:49.638000", "tags": [ "passive dns", "address", "creation date", "dnssec", "expiration date", "date", "present nov", "content type", "pulse pulses", "urls", "body", "m3u playlist", "playlist text", "unicode text", "utf8 text", "crlf line", "crlf", "lf line", "united", "billing email", "create date", "domain", "expiry date", "registrant name", "technical email", "update date", "code", "email", "server", "admin country", "registry domain", "registrar iana", "admin city", "country", "ripe ncc", "ripe network", "as12876 city", "abuse contact", "orgid", "orgtechhandle", "contact", "postalcode", "paris", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cnsectigo rsa", "secure server", "ca cgb", "subject public", "key info", "cgb stgreater", "ocomodo ca", "rsa domain", "server ca", "validity", "public key", "info", "key algorithm", "city", "proxad", "ville leveque", "proxad inetnum", "scaleway", "registry", "service", "as12876", "proxad ip", "technical sites", "as12876 network", "cleantalk 1", "database sites", "referenced", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 26, "domain": 103, "email": 7, "hostname": 30, "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 39, "CIDR": 2 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf28b065619c26e8aa9e13", "name": "Free SAS US Based", "description": "All images are copyrighted. \u00c2\u00a9\u00a9 Getty Images, AP, EPA, Reuters, GettyImages, AFP and Reuters / Getty images, except for those who have not had access to them.", "modified": "2026-04-04T09:58:26.925000", "created": "2026-04-03T02:40:48.466000", "tags": [ "passive dns", "address", "creation date", "dnssec", "expiration date", "date", "present nov", "content type", "pulse pulses", "urls", "body", "m3u playlist", "playlist text", "unicode text", "utf8 text", "crlf line", "crlf", "lf line", "united", "billing email", "create date", "domain", "expiry date", "registrant name", "technical email", "update date", "code", "email", "server", "admin country", "registry domain", "registrar iana", "admin city", "country", "ripe ncc", "ripe network", "as12876 city", "abuse contact", "orgid", "orgtechhandle", "contact", "postalcode", "paris", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cnsectigo rsa", "secure server", "ca cgb", "subject public", "key info", "cgb stgreater", "ocomodo ca", "rsa domain", "server ca", "validity", "public key", "info", "key algorithm", "city", "proxad", "ville leveque", "proxad inetnum", "scaleway", "registry", "service", "as12876", "proxad ip", "technical sites", "as12876 network", "cleantalk 1", "database sites", "referenced", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 27, "domain": 103, "email": 7, "hostname": 32, "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 40, "CIDR": 2 }, "indicator_count": 231, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8b5fe3394293df8d730ab", "name": "Great Service (intent to help reduce malware)", "description": "A malicious file has been found on the website of Deleteme.com, a website set up by a US-based company and run by the former president of the United States, Barack Obama.", "modified": "2026-04-03T23:13:53.390000", "created": "2026-03-04T22:45:18.393000", "tags": [ "united", "as13335", "unknown", "aaaa", "as14061", "as8075", "asnone country", "date", "cname", "united kingdom", "title", "body", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 104, "FileHash-SHA1": 2, "domain": 166, "hostname": 53, "FileHash-SHA256": 18, "email": 2 }, "indicator_count": 345, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a3be40a71473ad1e1ca24b", "name": "fastly.com", "description": "Indicators of conpromise for this domain", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:19:12.339000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 266, "CIDR": 2, "FileHash-MD5": 581, "FileHash-SHA1": 597, "FileHash-SHA256": 3442, "email": 14, "hostname": 224, "URL": 307, "CVE": 2 }, "indicator_count": 5435, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "540 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a4d15c60edc83ca6bfc97e", "name": "Fraud Services, Updates, Network Worm, SpyWare - Misc Attack", "description": "", "modified": "2024-08-26T10:04:37.360000", "created": "2024-07-27T10:52:12.501000", "tags": [ "united", "unknown", "a domains", "search", "creation date", "record value", "cyberlynk", "date", "expiration date", "title", "encrypt", "body", "as54113", "aaaa", "cname", "next", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "files", "type name", "android", "server", "registrar abuse", "dnssec", "domain name", "contact phone", "registrar url", "registrar whois", "registrar", "llc registry", "code", "key identifier", "subject key", "identifier", "x509v3 key", "first", "dns replication", "historical ssl", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "site", "malware", "safe site", "million", "alexa top", "malicious site", "phishing site", "suspected", "unsafe", "wacatac", "artemis", "iframe", "presenoker", "phishing", "opencandy", "downldr", "cleaner", "conduit", "riskware", "nircmd", "swrort", "tiggre", "agent", "filetour", "fusioncore", "unruy", "crack", "exploit", "cobalt strike", "xrat", "alexa", "acint", "systweak", "behav", "genkryptik", "blacknet rat", "stealer", "installpack", "azorult", "service", "runescape", "facebook", "bank", "download", "zbot", "xtrat", "installcore", "patcher", "adload", "win64", "class", "twitter", "accept", "malware site", "maltiverse", "ransomware", "phishingms", "anonymisation", "suppobox", "emotet", "revengerat", "downloader", "emailworm", "ramnit", "warbot", "citadel", "zeus", "simda", "keitaro", "virut", "team", "cultureneutral", "get na", "show", "delete c", "delete", "yara detections", "copy", "nivdort", "write", "trojanspy", "bayrob", "intel", "ms windows", "default", "pe32 executable", "document file", "v2 document", "pe32", "worm", "entries", "td td", "rufus", "mtb apr", "servers", "as39122", "span", "github pages", "passive dns", "formbook cnc", "checkin", "dridex", "request", "less see", "http request", "status", "name servers", "certificate", "urls", "div div", "header click", "meta", "homepage", "form", "date hash", "avast avg", "backdoor", "mtb jul", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "sha256", "sha1", "ascii text", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "null", "hybrid", "refresh", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "suspicious", "windows nt", "apache", "path", "pragma", "footer", "as8068", "as8075", "as15169 google", "as16552 tiggee", "virtool", "related pulses", "file samples", "files matching", "showing", "domain", "as22612", "as397240", "as19527 google", "moved", "gmt server", "as20940", "as4230 claro", "trojan", "ninite", "as2914 ntt", "win32", "brazil unknown", "brazil", "invalid url", "trojandropper", "body html", "head title", "asnone united", "as23393" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India" ], "malware_families": [ { "id": "Dridex", "display_name": "Dridex", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1034, "domain": 1210, "email": 13, "hostname": 1031, "FileHash-SHA1": 685, "FileHash-SHA256": 1036, "FileHash-MD5": 927, "CVE": 10 }, "indicator_count": 5946, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f3f6b512c5b6aacffa39", "name": "DoS:Win32/Rask | ZingoStealer | Used by Law/Legal/Tesms/Gov/IBM ", "description": "", "modified": "2024-07-28T18:04:28.664000", "created": "2024-07-01T00:10:30.700000", "tags": [ "historical ssl", "threat network", "infrastructure", "discord bots", "ualberta tld", "cobalt strike", "data redacted", "cloudflare", "code", "server", "registrar abuse", "admin country", "registrant name", "registry domain", "dnssec", "billing country", "date", "dns replication", "aaaa", "record type", "ttl value", "domain status", "registrant fax", "registrar url", "whois lookup", "dynamicloader", "show", "search", "adobe reader", "copy", "dynamic", "adobe", "incorporated", "read", "write", "read c", "write c", "delete c", "memcommit", "medium", "time stamping", "united", "domain", "persistence", "execution", "malware", "suspicious", "encrypt", "referrer", "first", "utc submissions", "submitters", "domains", "csc corporate", "scaleway", "tucows", "google", "dynadot llc", "amazon02", "facebook", "level3", "lineargradient", "png image", "ascii text", "pattern match", "ff6633", "mitre att", "rgba", "path", "ck id", "show technique", "mask", "june", "hybrid", "local", "click", "strings", "body", "stop", "enterprise", "rask", "abcd", "yara detections", "tls sni", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "as17667", "passive dns", "content type", "title", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "as37153", "south africa", "unknown", "files", "status", "showing", "record value", "for privacy", "redacted for", "entity", "as49505", "russia unknown", "servers", "script urls", "health law", "meta", "a domains", "providers", "state server", "internalname", "legalcopyright", "filehash", "entries", "zeppelin20", "total", "trojan", "gmt content", "vercel x", "refresh", "time", "antivirus", "win32trickler", "targeted", "oval oval", "cve cve20020013", "exploits", "cve overview", "vulnerabilities", "protos", "shadow", "quasi", "creation date", "as706", "as15293", "cname", "expiration date", "as14870 flexera", "hilgraeve", "virgin islands", "as19905", "as16276", "france unknown", "canada unknown", "next", "hostname", "expiration", "ibm", "x force", "components", "installs", "high", "explorer", "anomalous file", "as44273 host", "certificate", "as54113", "name servers", "moved", "asnone united", "apple", "apple remote", "apple spy", "abuse", "as22612", "as397240", "as19527 google", "nxdomain", "whitelisted", "aaaa nxdomain", "as21342", "a nxdomain", "ns nxdomain", "teenfuckers.com", "fuck", "fuck team", "dod", "teen porn", "malvertising", "framing", "killers", "hitmen", "stalkers", "orbiters", "fake date", "date app", "blind install", "government", "dark" ], "references": [ "https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "Yara Detections: Zeppelin_10 , Zeppelin_20 , ConventionEngine_Anomaly_MultiPDB_Double , MS_Visual_Cpp_2005", "High Priority Alert: stealth_network modifies_certificates network_icmp", "ET TROJAN Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI) 192.168.56.115", "Zingo/GinzoStealer: FileHash-SHA256 015d67fcca9d2fa8e4ea8f8a2cb99dee5f0b4bf39898d160c27bc4e4c6ccd237 trojan", "Zingo/GinzoStealer: FileHash-MD5 0b5fd8367272a6986f93af06faf977a9 trojan", "Zingo/GinzoStealer: FileHash-SHA1 72b5f7716dbf8e1e6fa26ef19a9d7f8970221300 trojan", "https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "Zingo/GinzoStealer: https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "https://www.hybrid-analysis.com/sample/caeed78015e7bcdf122aa01354016e3057cae1b585a946086d2d69ff643e7e2c/667e87c7badf2ad3670bd6bb", "Installation/Persistence: \"Press_Release_99x180_1_.svg\" has type \"SVG Scalable Vector Graphics image\"- [targetUID: N/A]", "https://otx.alienvault.com/indicator/ip/110.238.1.102 | https://otx.alienvault.com/indicator/hostname/ninr.syslinx.com.au", "https://otx.alienvault.com/indicator/ip/15.197.225.128", "www.resident-physician-lawyer.com | HTTP/1.1 405 Not Allowed Server: awselb/2.0 Connection: keep alive WAFRule: 0", "https://otx.alienvault.com/indicator/hostname/www.resident-physician-lawyer.com | www.thehealthlawfirm.com", "Trojan:Win32/Trickler: FileHash-SHA256 ccbb9ff792732151e9b57b30cb18bff96e63d5cec17fac1bd937ae5c49271699", "Trojan:Win32/Trickler: FileHash-MD5 8d2a19ceb45e794e08e8c1588d22d242", "Trojan:Win32/Trickler: FileHash-SHA1 a461b60b2a82cdd560f96b2502a4b9b9ac98a7ed", "Trojan:Win32/Msposer.I: FileHash-SHA256 6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "Trojan:Win32/Msposer.I: FileHash-MD5 e30112d853700a6e93bec678c1c0a538", "Trojan:Win32/Msposer.I: FileHash-SHA1 410efb8108fdf5db106e1f6a3d7608355621562d", "DoS:Win32/Rask: http://karelinform.ru/news/world/02-06-2016/uchenye-raskryli-sekret-antirakovyh-svoystv-aspirina", "PROTOS Remote SNMP Attack Tool: https://otx.alienvault.com/indicator/cve/CVE-2002-0013", "Bot: api-app-prod.wobot.ai | wizarbot.com | ipv4bot.whatismyipaddress.com", "Spy: app.zapspy.net | http://spywarefrance.com | spywarefrance.com", "http://www.iss.net/security_center/alerts/advise110.php | Governmental? related to several @ellenmmm Pulses reports one cited DoD /Pentagon", "Hostname www.govsuppliers1920.aot.com.au | www.curuzu.gov.ar", "Yara Detection: ProtectSharewareV11eCompservCMS | StringFileInfo@\u0001\u0001040904B04\u0014\u0001CompanyName", "Alerts: persistence_autorun antisandbox_mouse_hook infostealer_keylog stealth_hiddenreg", "Interesting Strings http://schemas.microsoft.com/cdo/configuration/", "leaplegalsoftwaremerch.brandedproducts.com.au", "https://otx.alienvault.com/indicator/file/6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "appleremotesupport.com | applesundermybed.com | appleid-secure-login.com", "teenfuckers.com | fuck.cloudflaressl.com | animefuck.org |", "blackteensexy.net | teenfuckers.com | teengayvideo.com | teensexporno.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Agent-678024", "display_name": "Win.Trojan.Agent-678024", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "Ginzo Stealer", "display_name": "Ginzo Stealer", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Other:Malware-gen", "display_name": "Other:Malware-gen", "target": null }, { "id": "CVE-2002-0013", "display_name": "CVE-2002-0013", "target": null }, { "id": "Trojan:Win32/Msposer.I", "display_name": "Trojan:Win32/Msposer.I", "target": "/malware/Trojan:Win32/Msposer.I" }, { "id": "DoS:Win32/Rask", "display_name": "DoS:Win32/Rask", "target": "/malware/DoS:Win32/Rask" }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Win.Malware.Swisyn-9942393-0", "display_name": "Win.Malware.Swisyn-9942393-0", "target": null }, { "id": "TEL:HTML/MalvertWindowResize", "display_name": "TEL:HTML/MalvertWindowResize", "target": "/malware/TEL:HTML/MalvertWindowResize" } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1118", "name": "InstallUtil", "display_name": "T1118 - InstallUtil" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Healthcare", "Technology", "Legal", "Civilian Society" ], "TLP": "green", "cloned_from": "667f111dcdeeba812adc4fd4", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 239, "FileHash-SHA1": 234, "FileHash-SHA256": 775, "domain": 2293, "hostname": 1545, "URL": 1431, "email": 13, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 6541, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667f111dcdeeba812adc4fd4", "name": "DoS:Win32/Rask | ZingoStealer | Used by Law/Legal/Tesms/Gov/IBM", "description": "It sure takes a lot to make, framing, spying, shadowing look like an investigation. I can't help but notice the excessive gay, teen porn and blackpu**y love.", "modified": "2024-07-28T18:04:28.664000", "created": "2024-06-28T19:38:05.236000", "tags": [ "historical ssl", "threat network", "infrastructure", "discord bots", "ualberta tld", "cobalt strike", "data redacted", "cloudflare", "code", "server", "registrar abuse", "admin country", "registrant name", "registry domain", "dnssec", "billing country", "date", "dns replication", "aaaa", "record type", "ttl value", "domain status", "registrant fax", "registrar url", "whois lookup", "dynamicloader", "show", "search", "adobe reader", "copy", "dynamic", "adobe", "incorporated", "read", "write", "read c", "write c", "delete c", "memcommit", "medium", "time stamping", "united", "domain", "persistence", "execution", "malware", "suspicious", "encrypt", "referrer", "first", "utc submissions", "submitters", "domains", "csc corporate", "scaleway", "tucows", "google", "dynadot llc", "amazon02", "facebook", "level3", "lineargradient", "png image", "ascii text", "pattern match", "ff6633", "mitre att", "rgba", "path", "ck id", "show technique", "mask", "june", "hybrid", "local", "click", "strings", "body", "stop", "enterprise", "rask", "abcd", "yara detections", "tls sni", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "as17667", "passive dns", "content type", "title", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "as37153", "south africa", "unknown", "files", "status", "showing", "record value", "for privacy", "redacted for", "entity", "as49505", "russia unknown", "servers", "script urls", "health law", "meta", "a domains", "providers", "state server", "internalname", "legalcopyright", "filehash", "entries", "zeppelin20", "total", "trojan", "gmt content", "vercel x", "refresh", "time", "antivirus", "win32trickler", "targeted", "oval oval", "cve cve20020013", "exploits", "cve overview", "vulnerabilities", "protos", "shadow", "quasi", "creation date", "as706", "as15293", "cname", "expiration date", "as14870 flexera", "hilgraeve", "virgin islands", "as19905", "as16276", "france unknown", "canada unknown", "next", "hostname", "expiration", "ibm", "x force", "components", "installs", "high", "explorer", "anomalous file", "as44273 host", "certificate", "as54113", "name servers", "moved", "asnone united", "apple", "apple remote", "apple spy", "abuse", "as22612", "as397240", "as19527 google", "nxdomain", "whitelisted", "aaaa nxdomain", "as21342", "a nxdomain", "ns nxdomain", "teenfuckers.com", "fuck", "fuck team", "dod", "teen porn", "malvertising", "framing", "killers", "hitmen", "stalkers", "orbiters", "fake date", "date app", "blind install", "government", "dark" ], "references": [ "https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "Yara Detections: Zeppelin_10 , Zeppelin_20 , ConventionEngine_Anomaly_MultiPDB_Double , MS_Visual_Cpp_2005", "High Priority Alert: stealth_network modifies_certificates network_icmp", "ET TROJAN Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI) 192.168.56.115", "Zingo/GinzoStealer: FileHash-SHA256 015d67fcca9d2fa8e4ea8f8a2cb99dee5f0b4bf39898d160c27bc4e4c6ccd237 trojan", "Zingo/GinzoStealer: FileHash-MD5 0b5fd8367272a6986f93af06faf977a9 trojan", "Zingo/GinzoStealer: FileHash-SHA1 72b5f7716dbf8e1e6fa26ef19a9d7f8970221300 trojan", "https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "Zingo/GinzoStealer: https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "https://www.hybrid-analysis.com/sample/caeed78015e7bcdf122aa01354016e3057cae1b585a946086d2d69ff643e7e2c/667e87c7badf2ad3670bd6bb", "Installation/Persistence: \"Press_Release_99x180_1_.svg\" has type \"SVG Scalable Vector Graphics image\"- [targetUID: N/A]", "https://otx.alienvault.com/indicator/ip/110.238.1.102 | https://otx.alienvault.com/indicator/hostname/ninr.syslinx.com.au", "https://otx.alienvault.com/indicator/ip/15.197.225.128", "www.resident-physician-lawyer.com | HTTP/1.1 405 Not Allowed Server: awselb/2.0 Connection: keep alive WAFRule: 0", "https://otx.alienvault.com/indicator/hostname/www.resident-physician-lawyer.com | www.thehealthlawfirm.com", "Trojan:Win32/Trickler: FileHash-SHA256 ccbb9ff792732151e9b57b30cb18bff96e63d5cec17fac1bd937ae5c49271699", "Trojan:Win32/Trickler: FileHash-MD5 8d2a19ceb45e794e08e8c1588d22d242", "Trojan:Win32/Trickler: FileHash-SHA1 a461b60b2a82cdd560f96b2502a4b9b9ac98a7ed", "Trojan:Win32/Msposer.I: FileHash-SHA256 6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "Trojan:Win32/Msposer.I: FileHash-MD5 e30112d853700a6e93bec678c1c0a538", "Trojan:Win32/Msposer.I: FileHash-SHA1 410efb8108fdf5db106e1f6a3d7608355621562d", "DoS:Win32/Rask: http://karelinform.ru/news/world/02-06-2016/uchenye-raskryli-sekret-antirakovyh-svoystv-aspirina", "PROTOS Remote SNMP Attack Tool: https://otx.alienvault.com/indicator/cve/CVE-2002-0013", "Bot: api-app-prod.wobot.ai | wizarbot.com | ipv4bot.whatismyipaddress.com", "Spy: app.zapspy.net | http://spywarefrance.com | spywarefrance.com", "http://www.iss.net/security_center/alerts/advise110.php | Governmental? related to several @ellenmmm Pulses reports one cited DoD /Pentagon", "Hostname www.govsuppliers1920.aot.com.au | www.curuzu.gov.ar", "Yara Detection: ProtectSharewareV11eCompservCMS | StringFileInfo@\u0001\u0001040904B04\u0014\u0001CompanyName", "Alerts: persistence_autorun antisandbox_mouse_hook infostealer_keylog stealth_hiddenreg", "Interesting Strings http://schemas.microsoft.com/cdo/configuration/", "leaplegalsoftwaremerch.brandedproducts.com.au", "https://otx.alienvault.com/indicator/file/6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "appleremotesupport.com | applesundermybed.com | appleid-secure-login.com", "teenfuckers.com | fuck.cloudflaressl.com | animefuck.org |", "blackteensexy.net | teenfuckers.com | teengayvideo.com | teensexporno.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Agent-678024", "display_name": "Win.Trojan.Agent-678024", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "Ginzo Stealer", "display_name": "Ginzo Stealer", "target": null }, { "id": "Trojan:Win32/Trickler", "display_name": "Trojan:Win32/Trickler", "target": "/malware/Trojan:Win32/Trickler" }, { "id": "Other:Malware-gen", "display_name": "Other:Malware-gen", "target": null }, { "id": "CVE-2002-0013", "display_name": "CVE-2002-0013", "target": null }, { "id": "Trojan:Win32/Msposer.I", "display_name": "Trojan:Win32/Msposer.I", "target": "/malware/Trojan:Win32/Msposer.I" }, { "id": "DoS:Win32/Rask", "display_name": "DoS:Win32/Rask", "target": "/malware/DoS:Win32/Rask" }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Win.Malware.Swisyn-9942393-0", "display_name": "Win.Malware.Swisyn-9942393-0", "target": null }, { "id": "TEL:HTML/MalvertWindowResize", "display_name": "TEL:HTML/MalvertWindowResize", "target": "/malware/TEL:HTML/MalvertWindowResize" } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1478", "name": "Install Insecure or Malicious Configuration", "display_name": "T1478 - Install Insecure or Malicious Configuration" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1118", "name": "InstallUtil", "display_name": "T1118 - InstallUtil" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Healthcare", "Technology", "Legal", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 239, "FileHash-SHA1": 234, "FileHash-SHA256": 775, "domain": 2293, "hostname": 1545, "URL": 1431, "email": 13, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 6541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675403ebdfc5bb1288b8b0b", "name": "Sakula RAT | Remote Attacks | Mirai | Piracy", "description": "", "modified": "2024-07-21T08:03:04.249000", "created": "2024-06-21T08:56:30.887000", "tags": [ "historical ssl", "remote", "high level", "hackers", "unknown win", "executable", "highly targeted", "cyber attack", "spotify artist", "sakula rat", "div div", "a div", "unknown", "united", "search", "nubile cowgirl", "mommy", "businessman", "slavegirl", "busty brunette", "date", "meta", "name servers", "status", "aaaa", "certificate", "cookie", "next", "log id", "gmtn", "go daddy", "authority", "tls web", "passive dns", "urls", "arizona", "scottsdale", "ca issuers", "false", "virgin islands", "as44273 host", "cname", "as19905", "creation date", "pulses", "trojan", "as22612", "react app", "verizon feed", "error", "typeof e", "body", "path", "info", "trace", "pulse submit", "url analysis", "files", "domain", "files ip", "external", "whois", "window", "as133618", "nxdomain", "coco", "elsa jean", "katrina jade", "amazing girls", "puffy nipples", "all scoreblue", "ipv4", "pulse pulses", "location virgin", "as133775 xiamen", "germany unknown", "florence co", "tsara brashears", "scan endpoints", "ip address", "ip related", "pulses otx", "redacted for", "for privacy", "dnssec", "as49870 alsycon", "as49305 map", "as24940 hetzner", "moved", "a domains", "encrypt", "showing", "expiration date", "as19527 google", "as397240", "get http", "read c", "write c", "et trojan", "dcom port", "possible", "host sinkhole", "write", "win32", "artemis", "malware", "nivdort", "zeus gameover", "copy", "xserver", "apple", "intellectual property theft", "dns replication", "type name", "replication", "domains", "ripe ncc", "ripe network", "whois lookups", "as49870 city", "abuse contact", "orgid", "mohammed zourob", "address", "orgabuseref", "mirai", "honeypot ips", "collection", "referrer", "mirai malware", "relacionada", "mirai 03042024", "bashlite", "sha256", "sha1", "windows nt", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "hybrid", "june", "local", "click", "strings", "contact", "as34788", "title", "body doctype", "html public", "ietfdtd html", "gmt server", "service", "apache", "targeting", "piracy" ], "references": [ "Sakula RAT - www.polarroute.com-CnC", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "appleremotesupport.com", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Win32:Malware-gen : watchhers.net", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Bayrob: 173.236.19.82", "Win32:Malware-gen: message.htm.com", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b" ], "public": 1, "adversary": "", "targeted_countries": [ "Netherlands", "Germany", "United States of America" ], "malware_families": [ { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null }, { "id": "a variant of Win32/Bayrob.BL", "display_name": "a variant of Win32/Bayrob.BL", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Trojan.Bayrob!gen9", "display_name": "Trojan.Bayrob!gen9", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "HEUR:Trojan.Win32.Generic", "display_name": "HEUR:Trojan.Win32.Generic", "target": null }, { "id": "Mal/Bayrob-C ,", "display_name": "Mal/Bayrob-C ,", "target": null }, { "id": "DownLoader24.56470", "display_name": "DownLoader24.56470", "target": null }, { "id": "Trojan/Win32.Nivdort.C1321145", "display_name": "Trojan/Win32.Nivdort.C1321145", "target": null }, { "id": "Backdoor:Linux/Mirai.AY!MTB", "display_name": "Backdoor:Linux/Mirai.AY!MTB", "target": "/malware/Backdoor:Linux/Mirai.AY!MTB" }, { "id": "Unix.Trojan.Tsunami-6981155-0", "display_name": "Unix.Trojan.Tsunami-6981155-0", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6903, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1390, "FileHash-MD5": 97, "FileHash-SHA1": 91, "FileHash-SHA256": 1341, "URL": 3993, "domain": 1903, "email": 11, "SSLCertFingerprint": 4, "CIDR": 2 }, "indicator_count": 8832, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "637 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d9ae1b06b560698b2a70", "name": "Assurance [a Prudential company] S0094-Remote Access", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly/Crouching Yeti and more. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:34:54.161000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6665d55d941729c5f283b3f7", "name": "S0094-Remote Access - Assurance [a Prudential company]", "description": "Assurance experienced an abrupt shutdown April 2024. Health Insurance agents were notified mid business; Prudential [Assurance partner] had fully taken over thus ending all contracts amid business. Cyber investigations date back to 2023. health insurance agents Trojan.Karagany [old] is a modular remote access tool used for recon and linked to Dragonfly. Infostealer, malware and unwanted programs downloader.\nPersistence. Severe | S0094 - Remote Access\nCVE-2023-22518 | CVE-2023-4966", "modified": "2024-07-09T15:02:04.111000", "created": "2024-06-09T16:16:29.634000", "tags": [ "falcon sandbox", "sha256", "sha1", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "ascii text", "null", "hybrid", "refresh", "body", "span", "june", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "contact", "historical ssl", "referrer", "httponly", "path", "secure", "maxage31557600", "expiresmon", "samesitenone", "expireswed", "etag w", "setcookie dids", "maxage864000", "http response", "final url", "serving ip", "address", "status code", "html document", "history", "utc names", "html info", "title assurance", "meta tags", "script tags", "anchor hrefs", "code", "requestid", "hostid", "xml file", "accessdenied", "message", "signature", "expires", "awsaccesskeyid", "log id", "gmtn", "passive dns", "urls", "digicert global", "g2 tls", "rsa sha256", "tls web", "full name", "self", "false", "united", "as8075", "unknown", "gmt server", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "url https", "pulse pulses", "http", "ip address", "related nids", "files location", "aaaa", "meta", "link", "search", "creation date", "wheels up", "moved", "homepage", "servers", "service", "name servers", "hostname", "next", "japan unknown", "as2510 fujitsu", "status", "page", "ltd dba", "com laude", "record value", "ireland", "germany", "australia", "as44786 adobe", "whitelisted", "win32", "present may", "trojan", "karaganye", "regsetvalueexa", "regdword", "default", "show", "presto", "regbinary", "medium", "create c", "query", "double", "malware", "copy", "karagany", "write", "showing", "as35908 krypt", "as45102 alibaba", "hong kong", "data service", "script script", "div div", "title", "entries", "files", "japan asn", "dns resolutions", "memory pattern", "ip traffic", "domains", "urls https", "files c", "filesgoogle c", "written c", "extensions", "as20446", "as14061", "emails", "threat roundup", "bashlite", "jupyter rising", "vmware", "security blog", "april", "september", "december", "january", "enemybot", "core" ], "references": [ "Assurance", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "Domains Contacted: simplesausages.cx.cc adobe.com", "https://test2.ditproducts.com/dat/wannacry1.html", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CVE-2023-22518 | CVE-2023-4966" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/Karagany!atmn", "target": null }, { "id": "Win32:Karagany-D\\ [Trj]", "display_name": "Win32:Karagany-D\\ [Trj]", "target": null }, { "id": "Win.Trojan.Xtoober-650", "display_name": "Win.Trojan.Xtoober-650", "target": null }, { "id": "Trojan:Win32/Startpage.SS", "display_name": "Trojan:Win32/Startpage.SS", "target": "/malware/Trojan:Win32/Startpage.SS" }, { "id": "Win.Packed.Pincav-7537597-0", "display_name": "Win.Packed.Pincav-7537597-0", "target": null }, { "id": "Trojan.Karagany - S0094", "display_name": "Trojan.Karagany - S0094", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Finance - Insurance Sector" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2950, "FileHash-MD5": 193, "FileHash-SHA1": 171, "FileHash-SHA256": 1885, "URL": 8907, "domain": 2945, "SSLCertFingerprint": 2, "email": 11, "CVE": 2 }, "indicator_count": 17066, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "649 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665ec0cfd110b0694c51fbe2", "name": "Eset - Dorkbot", "description": "Dorkbot a self-propagating program that can spread itself from one computer to another threatening to perform numerous f actions of a malicious hacker's choice on PC. Found on an updated windows machine. Hacker named machine, installed apple viewing software programs, partitioned 'zombie' machine. Network of compromised, sketchy remote transfer agents of a professional in the service industry. Serious impact on or companies impact on remote workers contracted by company in question due to the abrupt cessation of business of a recognized brand it's industry. Unfortunately, the documentation of this Eset programs behavior has been misplaced. From recall. this install identified and allowed threats, d. It was a weird see with the names eye experience. Incoming request/ Remote operators, disallowed many transactions and other basic use of software. Workers potentially working a database from individuals whose PII & PHI was leaked.", "modified": "2024-07-04T06:01:28.799000", "created": "2024-06-04T07:22:55.572000", "tags": [ "historical ssl", "referrer", "algorithm", "v3 serial", "number", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "key identifier", "subject key", "first", "server", "registrar abuse", "date", "csl computer", "gmbh dba", "contact phone", "domain status", "registrar url", "registrar whois", "contact email", "code", "united", "unknown", "aaaa", "as14061", "cname", "search", "emails", "dnssec", "showing", "win32", "title error", "passive dns", "open ports", "trojan", "body doctype", "html public", "w3cdtd html", "body", "dns replication", "domain", "lookups", "email", "name server", "slovensko", "tech contact", "valid", "admin contact", "a domains", "a li", "span h3", "header link", "option option", "united kingdom", "test", "april", "meta", "paris", "eset", "yara detections", "nod32", "amon", "internalname", "online payment", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "amz cf", "creation date", "record value", "expiration date", "name servers", "servers", "status", "next", "asnone united", "moved", "certificate", "ipv4", "urls", "files", "av detections", "ids detections", "alerts", "analysis date", "cf2a", "xaax04x00", "high", "dns reply", "noip domain", "et trojan", "createsuspended", "malware traffic", "dorkbot", "malware", "copy", "name verdict", "falcon sandbox", "windows nt", "appdata", "png image", "pattern match", "indicator", "ascii text", "rgba", "get collect", "vj98", "hybrid", "general", "local", "click", "strings", "path", "ms windows", "pe32", "intel", "microsoft asf", "pe32 executable", "database", "english", "installer", "template", "tue jun", "service", "crlf line", "url https", "http", "ip address", "related nids", "files location", "tip" ], "references": [ "bpp.eset.com", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "appleremotesupport.com | http://thickapple.net/index.php", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "https://appleid-verify.servecounterstrike.com/", "http://schoolgirl.uxxxporn.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:GenMalicious-KAG\\ [Trj]", "display_name": "Win32:GenMalicious-KAG\\ [Trj]", "target": null }, { "id": ", Win.Trojan.Agent-1286703", "display_name": ", Win.Trojan.Agent-1286703", "target": null }, { "id": "Trojan:Win32/DorkBot.DU", "display_name": "Trojan:Win32/DorkBot.DU", "target": "/malware/Trojan:Win32/DorkBot.DU" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Cosmu-1058", "display_name": "Win.Trojan.Cosmu-1058", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Finance", "Healthcare", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 758, "FileHash-SHA1": 478, "FileHash-SHA256": 2561, "URL": 8210, "domain": 2202, "hostname": 2760, "email": 22, "CVE": 3 }, "indicator_count": 16994, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66141ecabe8f1ab189351dd3", "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring", "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location, vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related", "modified": "2024-05-08T16:00:34.588000", "created": "2024-04-08T16:43:54.908000", "tags": [ "installer", "tofsee", "trojan", "dropper", "dns", "as20940", "united", "aaaa", "as15703", "search", "servers", "as8455 schuberg", "a domains", "encrypt", "code", "tweakers", "unknown", "ransom", "body", "webcams", "banker", "location tracking", "vehicle tracking", "device tracking", "exploitation", "redirects", "ip tracking", "vpn nullify", "vehicle keycodes", "search threat", "analyzer feeds", "panel platform", "search platform", "profile user", "iocs", "redacted for", "passive dns", "all scoreblue", "hostname", "next", "cnc", "scanning host", "milesone", "virtual currency mining", "crypto", "regsetvalueexa", "regdword", "default", "show", "regbinary", "read c", "settingswpad", "as15169", "malware", "copy", "write", "upatre", "ids detections", "scan endpoints", "filehash", "av detections", "yara detections", "alerts", "analysis date", "file score", "ransom", "related pulses", "entries", "icmp traffic", "packing t1045", "t1045", "pe resource", "august", "win32", "for privacy", "creation date", "name servers", "urls", "date", "status", "as15169 google", "as44273 host", "ipv4", "pulse submit", "url analysis", "msie", "chrome", "moved", "title", "gmt content", "apple", "invalidate_gift_cards", "tulach rebranded", "hallrender rebranded", "as8075", "verdana", "td tr", "domain", "germany unknown", "as34011 host", "etag", "medium", "module load", "invalidate_google_play", "algorithm", "v3 serial", "number", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "first", "win32 exe", "win32 dll", "javascript", "mozilla firefox", "edition", "detections type", "name", "keeweb", "setup", "firefox setup", "record type", "ttl value", "android", "files", "formbook", "critical cmd", "tracker", "tsara brashears", "remote", "historical ssl", "referrer", "march", "body html", "head meta", "moved title", "head body", "pegasus", "nemtih", "hit", "men", "gift_card_mining", "google_play_card_mining", "miner", "htmladodb may", "twitter", "win64", "as21342", "as2914 ntt", "as15334", "error", "certificate", "checkbox", "accept", "record value", "emails", "domain name" ], "references": [ "Virustotal - google.com.uy", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "nr-data.net [Apple Private Data Collection]", "checkip.dyndns.org [command and control]", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "144.76.108.82 [scanning host]", "Yara Detections PEtite24", "FormBook IP: 142.251.211.243", "https://pegasusm2.bullsbikesusa.com", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Trojan:MSIL/TrojanDropper", "display_name": "Trojan:MSIL/TrojanDropper", "target": "/malware/Trojan:MSIL/TrojanDropper" }, { "id": "Installer", "display_name": "Installer", "target": null }, { "id": "Sf:Agent-DQ\\ [Trj]", "display_name": "Sf:Agent-DQ\\ [Trj]", "target": null }, { "id": "TrojanDownloader:Win32/Upatre!rfn", "display_name": "TrojanDownloader:Win32/Upatre!rfn", "target": "/malware/TrojanDownloader:Win32/Upatre!rfn" }, { "id": "Win32:DropperX-gen\\ [Drp]", "display_name": "Win32:DropperX-gen\\ [Drp]", "target": null }, { "id": "Win.Trojan.Tofsee-9770082-1", "display_name": "Win.Trojan.Tofsee-9770082-1", "target": null }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1574.005", "name": "Executable Installer File Permissions Weakness", "display_name": "T1574.005 - Executable Installer File Permissions Weakness" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1493", "name": "Transmitted Data Manipulation", "display_name": "T1493 - Transmitted Data Manipulation" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1013", "name": "Port Monitors", "display_name": "T1013 - Port Monitors" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1468", "name": "Remotely Track Device Without Authorization", "display_name": "T1468 - Remotely Track Device Without Authorization" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 468, "FileHash-SHA256": 3233, "URL": 8667, "domain": 2219, "hostname": 3480, "email": 8 }, "indicator_count": 18467, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "711 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b4a3d4df0c7f120a8c60c", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE [02/27/2024]", "description": "", "modified": "2024-05-08T09:47:41.535000", "created": "2024-05-08T09:47:41.535000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65de914a22e80e90ac329dce", "export_count": 1176, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65de914a22e80e90ac329dce", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-28T01:50:02.478000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d89cda3f0dbf62f499d", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc53a7d5ebf2b12d2e4bf1", "name": "test", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-26T09:02:31.405000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65da19c17ee182a7fb5122a0", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drissm69", "id": "272382", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65da19c17ee182a7fb5122a0", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T16:30:57.575000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": "65d97d8e925459e97ca124c9", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d8e925459e97ca124c9", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:30.672000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97d89cda3f0dbf62f499d", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "*Edit: I meant to mean at&t may be unaware despite reported outage. My AT&T study is private and researched from corporate device. \n\nGandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:24:25.169000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3131bb8503e087d749", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:25.808000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d97b3040e853a998bbd2cf", "name": "AT&T \u2022 Ransom:Win32/GandCrab.AE", "description": "GandCrab : GandCrab was a Ransomware-as-a-Service (RaaS). GandCrab Ransomware is a ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.In many instances, files are encrypted to control, spy, monitor dns traffic, download other malware, spy on targets, modify, delete, write on victims devices going undetected.", "modified": "2024-03-25T03:03:48.639000", "created": "2024-02-24T05:14:24.088000", "tags": [ "contacted", "t whois", "switch dns", "password", "adware", "trojan", "worm", "dns", "tracking", "ransomware", "as8075", "united", "unknown", "creation date", "search", "date", "entries", "pulse pulses", "passive dns", "urls", "defense", "date hash", "showing", "greatcall", "lively", "cname", "path", "http response", "final url", "ip address", "status code", "body length", "b body", "sha256", "expiressat", "maxage31536000", "html info", "title access", "denied trackers", "bing ads", "ver2", "vids1", "msclkidn", "home pg", "utc google", "tag manager", "ssl certificate", "whois record", "referrer", "communicating", "whois whois", "historical ssl", "resolutions", "pe resource", "ip addresses", "execution", "malware", "urls url", "domains domain", "threat roundup", "cyber crime", "use collection", "files", "parent domain", "network", "december", "august", "round", "february", "june", "cobalt strike", "lockbit", "miner", "ransom", "show", "scan endpoints", "all octoseek", "filehash", "av detections", "ids detections", "copy", "conhost", "shell commands", "processes tree", "samplepath", "dynamicloader", "domain", "query", "etpro malware", "gandcrab dns", "lookup", "powershell", "write", "gandcrab", "as14061", "a domains", "meta", "type", "moved", "body", "encrypt", "germany unknown", "as3209 vodafone", "aaaa", "next", "error", "status", "as797 att", "copyright c", "record value", "expiration date", "name servers", "serving ip", "address", "date sat", "gmt contenttype", "win32 exe", "detections type", "name", "android", "decode", "crypt", "contacted urls", "relacionada", "agent tesla", "active threats", "spyware", "cyberstalking", "as54113", "as22075", "japan", "germany", "united kingdom", "australia", "as13789", "apple ios", "tsara brashears", "unlocker", "apple", "password", "apple private", "data collection", "cyber warfare", "core", "hacktool", "malicious", "banker", "keylogger", "bot networks", "elderly", "disability", "health phone", "brashears", "tsara", "brian", "m", "sabey", "tulach", "rsa sha256", "content type", "access", "length", "masquerade", "true defense", "fraud services" ], "references": [ "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "192.168.0.25 [Network Router Admin Login to wireless routers]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "images.ctfassets.net [data collection of citizen]", "114.114.114.114 - Tulach Malware", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "Cobalt Strike | 3.12.49.0 | Amazon 02", "uversecentral3.att.com [decode cookie \u2022 unlock]", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Ransom:Win32/GandCrab.E", "display_name": "Ransom:Win32/GandCrab.E", "target": "/malware/Ransom:Win32/GandCrab.E" }, { "id": "Win.Packer.Crypter-6539596-1", "display_name": "Win.Packer.Crypter-6539596-1", "target": null }, { "id": "ETPro", "display_name": "ETPro", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ALF:TrojanSpy:Win32/Keylogger", "display_name": "ALF:TrojanSpy:Win32/Keylogger", "target": null }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1183", "name": "Image File Execution Options Injection", "display_name": "T1183 - Image File Execution Options Injection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 231, "FileHash-SHA1": 217, "FileHash-SHA256": 1628, "URL": 298, "domain": 1047, "hostname": 877, "email": 7 }, "indicator_count": 4305, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "756 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656df672e2e10d7cbf8435ed", "name": "Sharktech CNC IPv4 | Hostile Host IOC's", "description": "Datacenter /Hosting /VPS", "modified": "2024-01-03T14:02:32.483000", "created": "2023-12-04T15:55:30.953000", "tags": [ "date hash", "avast avg", "win32", "threat", "paste", "iocs", "urls http", "blacklist http", "cisco umbrella", "site", "safe site", "hostnames", "detection list", "blacklist", "phishing", "south carolina", "federal credit", "union", "team", "bank", "spammer", "attacker", "traffic", "tor known", "node tcp", "exit", "tor relayrouter", "hostile host", "threats et", "host", "samples", "win32 exe", "adv tool", "files", "type name", "dns replication", "date", "domain", "70.39.84.237 cnc", "sharktech", "autonomous system label", "creation date", "search", "dnssec", "showing", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "next", "urls", "summary", "sample", "count blacklist", "tag count", "tag combined", "contacted", "whois record", "execution", "ssl certificate", "dropped", "whois whois", "communicating", "referrer", "ip summary", "url summary", "red canary" ], "references": [ "https://www.hybrid-analysis.com/sample/a601cef349fc24d22747934e190b38dd3dbdb7295f0556e80236cf8f74aa4a3b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Trojan.Scar", "display_name": "Trojan.Scar", "target": null }, { "id": "Win32: Evo-Gen", "display_name": "Win32: Evo-Gen", "target": null }, { "id": "VBS/StartPage.B", "display_name": "VBS/StartPage.B", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/TrojanDropper", "display_name": "ALF:HeraklezEval:Trojan:MSIL/TrojanDropper", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 507, "FileHash-SHA1": 259, "FileHash-SHA256": 606, "URL": 1723, "domain": 353, "hostname": 553, "email": 2 }, "indicator_count": 4003, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656df67751c2e5048558c431", "name": "Sharktech CNC IPv4 | Hostile Host IOC's", "description": "Datacenter /Hosting /VPS", "modified": "2024-01-03T14:02:32.483000", "created": "2023-12-04T15:55:35.485000", "tags": [ "date hash", "avast avg", "win32", "threat", "paste", "iocs", "urls http", "blacklist http", "cisco umbrella", "site", "safe site", "hostnames", "detection list", "blacklist", "phishing", "south carolina", "federal credit", "union", "team", "bank", "spammer", "attacker", "traffic", "tor known", "node tcp", "exit", "tor relayrouter", "hostile host", "threats et", "host", "samples", "win32 exe", "adv tool", "files", "type name", "dns replication", "date", "domain", "70.39.84.237 cnc", "sharktech", "autonomous system label", "creation date", "search", "dnssec", "showing", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "passive dns", "next", "urls", "summary", "sample", "count blacklist", "tag count", "tag combined", "contacted", "whois record", "execution", "ssl certificate", "dropped", "whois whois", "communicating", "referrer", "ip summary", "url summary", "red canary" ], "references": [ "https://www.hybrid-analysis.com/sample/a601cef349fc24d22747934e190b38dd3dbdb7295f0556e80236cf8f74aa4a3b" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "Trojan.Scar", "display_name": "Trojan.Scar", "target": null }, { "id": "Win32: Evo-Gen", "display_name": "Win32: Evo-Gen", "target": null }, { "id": "VBS/StartPage.B", "display_name": "VBS/StartPage.B", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/TrojanDropper", "display_name": "ALF:HeraklezEval:Trojan:MSIL/TrojanDropper", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 507, "FileHash-SHA1": 259, "FileHash-SHA256": 606, "URL": 1723, "domain": 353, "hostname": 553, "email": 2 }, "indicator_count": 4003, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "FormBook IP: 142.251.211.243", "High Priority Alerts: nids_malware_alert injection_runpe network_icmp dumped_buffer2 network_irc nolookup_communication", "https://healthinsurancecompanion.com/affordable-health-insurance?Landing_Page=https://healthinsurancecompanion.com/affordable-health-insurance&SRC=iDr_E", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "Zingo/GinzoStealer: FileHash-SHA256 015d67fcca9d2fa8e4ea8f8a2cb99dee5f0b4bf39898d160c27bc4e4c6ccd237 trojan", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://otx.alienvault.com/indicator/hostname/www.resident-physician-lawyer.com | www.thehealthlawfirm.com", "144.76.108.82 [scanning host]", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 agent may view, modify, add or delete device images]", "Remote Attack x12 devices: device-local-2d1dedc1-a9a2-445b-8475-c2a24b9c1f58.remotewd.com", "Trojan:Win32/Trickler: FileHash-SHA1 a461b60b2a82cdd560f96b2502a4b9b9ac98a7ed", "IDS Detections: Domain Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin External IP Lookup Attempt To Wipmania Suspicious Mozilla User-Agent - Likely Fake", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "images.ctfassets.net [data collection of citizen]", "https://www.hybrid-analysis.com/sample/caeed78015e7bcdf122aa01354016e3057cae1b585a946086d2d69ff643e7e2c/667e87c7badf2ad3670bd6bb", "IDS Detections: Trojan Internet Connectivity Check TrojanDownloader.Win32/Karagany.H checkin 2", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "blackteensexy.net | teenfuckers.com | teengayvideo.com | teensexporno.org", "Bot: api-app-prod.wobot.ai | wizarbot.com | ipv4bot.whatismyipaddress.com", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]", "DoS:Win32/Rask: http://karelinform.ru/news/world/02-06-2016/uchenye-raskryli-sekret-antirakovyh-svoystv-aspirina", "xxx.developer.android.com", "http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software \u2022 pornhub downloader]", "PROTOS Remote SNMP Attack Tool: https://otx.alienvault.com/indicator/cve/CVE-2002-0013", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA", "Alerts: dead_host network_icmp nolookup_communication packer_polymorphic origin_langid peid_packer", "https://test2.ditproducts.com/dat/wannacry1.html", "Win32:Malware-gen: message.htm.com", "Malvertising: https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | i3.cdn-image.com", "High Priority Alert: stealth_network modifies_certificates network_icmp", "sex.com | xxgayporn.com | http://www.myporncdn.com/ | http://meyzo.com/porn/ww.xxxhorse.virlcom/3", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "https://www.pornhub.com/video/search?search=tsara+brashears [API \u2022 iOS password decryption]", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "tox.chat [moved \u2022 nginx \u2022 instant messaging platform]", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "Zingo/GinzoStealer: FileHash-MD5 0b5fd8367272a6986f93af06faf977a9 trojan", "ET TROJAN Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI) 192.168.56.115", "Andariel group \u00bb State-sponsored threat actor & Defense media", "114.114.114.114 - Tulach Malware", "https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit \u2022 DNS check \u2022 loader]", "Interesting Strings http://schemas.microsoft.com/cdo/configuration/", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=1313058492&charset=UTF-8&loc=http%3A//yorozuya.miraiserver.com/archives/20716", "smlpp.monster", "appleremotesupport.com", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "IDS Detections: ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net)", "Trojan:Win32/Trickler: FileHash-MD5 8d2a19ceb45e794e08e8c1588d22d242", "IDS Detections: ET TROJAN Possible Compromised Host Sinkhole Cookie Value Snkz | ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect", "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales", "Alerts: persistence_autorun antisandbox_mouse_hook infostealer_keylog stealth_hiddenreg", "Domains Contacted: simplesausages.cx.cc adobe.com", "Win32:Malware-gen : watchhers.net", "m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware \u2022 listens to call or activities of affected]", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "CVE-2023-22518 | CVE-2023-4966", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "teenfuckers.com | fuck.cloudflaressl.com | animefuck.org |", "https://otx.alienvault.com/indicator/ip/110.238.1.102 | https://otx.alienvault.com/indicator/hostname/ninr.syslinx.com.au", "Bayrob: 173.236.19.82", "T1110.001 (Brute Force: Password Guessing)", "http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware \u2022 service modification \u2022 data collection of private citizen]", "www.resident-physician-lawyer.com | HTTP/1.1 405 Not Allowed Server: awselb/2.0 Connection: keep alive WAFRule: 0", "https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Assurance", "192.168.0.25 [Network Router Admin Login to wireless routers]", "Trojan:Win32/Msposer.I: FileHash-MD5 e30112d853700a6e93bec678c1c0a538", "Cobalt Strike | 3.12.49.0 | Amazon 02", "http://xred.site50.net/syn/Synaptics.rar [ malicious \u2022 spyware and malware]", "https://esvid.net/video/la-escuelita-especial-de-halloween-tv-ana-emilia-mfYrv_yj7eM.html", "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon", "Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "Mirai: http://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=93256626515&charset=utf-8&loc=http%3A//yorozuya.miraiserver.com/archives/10404&referer=http%3A//www.google.co.jp/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D2%26ved%3D0ahUKEwiYv8vl6dHWAhUIf7wKHZD-CeUQFg No Expiration\t0\t URL https://adsbox.net/www/delivery/ajs.php?zoneid=19&cb=94867445544&charset=UTF-8&loc=https%3A//yorozuya.miraiserver.com/archives/21384&referer=http%3A//search.yahoo.co.jp/ No Expiration\t0\t URL https://www.adsbo", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware \u2022data collection through media \u2022 similar to Pegasus behavior]", "appleremotesupport.com | applesundermybed.com | appleid-secure-login.com", "https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "High Priority Alerts: allocates_execute_remote_process persistence_autorun injection_createremotethread injection_modifies_memory", "Installation/Persistence: \"Press_Release_99x180_1_.svg\" has type \"SVG Scalable Vector Graphics image\"- [targetUID: N/A]", "https://appleid-verify.servecounterstrike.com/", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Tracking: track.123mediaplayer.com | track4you2me.com | mobiletrackersoft.com | www.tracking.getrobux.gg", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Sakula RAT - www.polarroute.com-CnC", "https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware \u2022 members can hear phone calls and personal conversations & behavior of affected]", "Spy: app.zapspy.net | http://spywarefrance.com | spywarefrance.com", "http://email.critizr.com/asm/unsubscribe/?user_id=1464008&data=anW5I3azQrbEzQ84_I2zsSfJkpp1WTl08_zW0p5h4i5oMDAwdTAwMIqknJPIfal-ld9TvXgRLVf_F", "Obfuscation: XOR-based String Encryption (0x20)", "Cloudflare | 1.1.1.1 -WarpPlus/****", "https://asserts.turbovpn.co/web/images/download/icons/apple-icon.png", "CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems)", "uversecentral3.att.com [decode cookie \u2022 unlock]", "Nivdort: 130.255.191.101 | 192.232.223.67 | 192.64.119.172 | 208.113.243.145", "Trojan:Win32/Trickler: FileHash-SHA256 ccbb9ff792732151e9b57b30cb18bff96e63d5cec17fac1bd937ae5c49271699", "https://otx.alienvault.com/indicator/file/8ad6f89c763315bf59bc3619139f8478f6bcc57d902123c8b5c413f251ff8778", "Virustotal - google.com.uy", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "Tulach- 114.114.114.114", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Large DNS Query possible covert channel\t192.168.56.101", "ttp://nomoreransom.coin/ [method \u2022 user agent]", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "IDS Detections: Win32/IRCBrute/Floder.ej/TKcik.A Checkin Dorkbot GeoIP Lookup to wipmania DNS Reply Sinkhole Microsoft NO-IP", "bpp.eset.com", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "Yara Detections: Zeppelin_10 , Zeppelin_20 , ConventionEngine_Anomaly_MultiPDB_Double , MS_Visual_Cpp_2005", "Zingo/GinzoStealer: FileHash-SHA1 72b5f7716dbf8e1e6fa26ef19a9d7f8970221300 trojan", "http://schoolgirl.uxxxporn.com", "https://otx.alienvault.com/indicator/ip/15.197.225.128", "https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know.", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing", "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key", "https://www.hybrid-analysis.com/sample/a601cef349fc24d22747934e190b38dd3dbdb7295f0556e80236cf8f74aa4a3b", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com", "Zingo/GinzoStealer: https://otx.alienvault.com/indicator/file/4fcfe3c9358a6ece8fe1406be7790a72db6665206e87dd06cdb17d130498e47a", "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://www.hybrid-analysis.com/sample/c878607fd780c9bc0d2f66b0c23ee33961c58ad568f4a2f1fe46082185299017/667532fda77e8833a9099b6b", "Alerts: network_icmp modifies_proxy_wpad network_http suspicious_tld allocates_rwx creates_exe antivm_network_adapters checks_debugger", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "identity_helper.exe\" loaded module \"%WINDIR%\\System32\\bcrypt.dll\" at 73470000", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "IDS Detections: Query for .cc TLD Suspicious User-Agent (Presto) Double User-Agent (User-Agent User-Agent)", "Artemis!88755E38FB0B: http://static.123mediaplayer.com/Styles/Softwares/03652e13_aartemis.zip", "IDS Detections: ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort | ETPRO TROJAN W32/Bayrob Attempted Checkin 2", "http://www.iss.net/security_center/alerts/advise110.php | Governmental? related to several @ellenmmm Pulses reports one cited DoD /Pentagon", "facebooksunglassshop.com - Pegasus type tool [spyware data collection]", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections PEtite24", "appleremotesupport.com | http://thickapple.net/index.php", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "High Priority Alerts: injection_write_memory injection_write_memory_exe modifies_proxy_wpad injection_ntsetcontextthread injection_resumethread dumped_buffer network_http nids_alert suspicious_tld allocates_rwx .", "https://www.att.com/ [has a medium risk GandCrab ransomware attack]", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]", "inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets", "89.190.156.61: Backdoor:Linux/Mirai.AY!MTB | Backdoor:Linux/DemonBot.Aa!MTB | Unix.Trojan.Mirai-7100807-0 | Unix.Trojan.Tsunami-6981155-0", "Trojan:Win32/Msposer.I: FileHash-SHA256 6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "nr-data.net [Apple Private Data Collection]", "Verizon Feed: https://api.aws.parking.godaddy.com | api.aws.parking.godaddy.com | https://api.aws.parking.godaddy.com/d/search/p/godaddy/xml/domain/multiset/v4/", "Mitre Capabilities: Host-Interaction \u2022 Data-Manipulation \u2022 Anti-Analysis Linking \u2022 Load-Code Executable", "Yara Detection: ProtectSharewareV11eCompservCMS | StringFileInfo@\u0001\u0001040904B04\u0014\u0001CompanyName", "Domains Contacted: n.jntbxduhz.ru n.yqqufklho.ru n.lotys.ru api.wipmania.com n.vbemnggcj.ru n.hmiblgoja.ru dns.msftncsi.com n.ezjhyxxbf.ru", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "IP\u2019s Contacted: 172.217.14.226 172.217.14.234 162.217.99.134 204.95.99.243 212.83.168.196 216.58.193.67 216.58.217.42 99.86.38.99", "https://normalexchange.com/v/155e44b6-11dc-11e8-9dff-01407350b0f6/c/1e289258-e09c-11e5-bea8-021988c520a1/?clickid=9023100005531544085-201802-3", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Trojan:Win32/Msposer.I: FileHash-SHA1 410efb8108fdf5db106e1f6a3d7608355621562d", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6", "Hostname www.govsuppliers1920.aot.com.au | www.curuzu.gov.ar", "leaplegalsoftwaremerch.brandedproducts.com.au", "https://pegasusm2.bullsbikesusa.com", "Yara Detections is__elf , LZMA", "https://otx.alienvault.com/indicator/file/2bf47000e3fd57a0a66f114378e27bc7119657ae0e9f692cfb6add41fdd25d43", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "https://otx.alienvault.com/indicator/file/6aad634cd39d45d3e03c9cd3791b82efc66da624902ac8d9a6dd109c16701694", "checkip.dyndns.org [command and control]", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "track.adminresourceupdate.com \u2022 postracking100.online", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]", "Berserk Bear (also known as BROMINE, Crouching Yeti, Dragonfly,", "NSO", "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Win32:karagany-d\\ [trj]", "Sabey", "Backdoor:linux/mirai.ay!mtb", "Trojan:msil/trojandropper", "Trojandownloader:win32/cutwail", "Heur:trojan.win32.generic", "Trojan.karagany - s0094", "Tulach malware", "Win.trojan.agent-678024", "Sf:agent-dq\\ [trj]", "Win.malware.swisyn-9942393-0", "Win32: evo-gen", "!execryptor_2.x.x", "Tofsee", "Ginzo stealer", "Win32:ransomx-gen\\ [ransom]", "Trojan:win32/zombie.a", "Installer", "Trojan:win32/dorkbot.du", "Win.packed.pincav-7537597-0", "Win32:vbmod\\ [trj]", "Win32:malware-gen", "Trojan.bayrob!gen9", "Sakula rat", "Trojan.scar", "#lowfi:trojan:js/auto59", "Trojan:win32/smokeloader", "A variant of win32/bayrob.bl", "Win.malware.agent-6386296-0", "Trojan/win32.nivdort.c1321145", "Trojan:win32/danabot", "Elf:mirai-gh\\ [trj]", "Crypt3.blxp", "Trojan:win32/trickler", "Etpro", "Et", "Trojan:win64/coinminer.we", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Cve-2002-0013", "Other:malware-gen", "Alf:heraklezeval:trojan:msil/trojandropper", "Win.trojan.cosmu-1058", "Cobalt strike", "Trojanspy", "Mal/bayrob-c ,", "Win.trojan.xtoober-650", "Taiwan", "Zingostealer", "Trojan:win32/startpage.ss", "Pws:win32/zbot!ci", "Nids", "Malware family: stealthworker / gobrut", "Win.packer.crypter-6539596-1", "Win32:genmalicious-kag\\ [trj]", "Ransom:win32/stopcrypt.ak!mtb", "Zeppelin", "Dos:win32/rask", "Trojandownloader:win32/upatre!rfn", "Trojan:win32/msposer.i", "Ransom:win32/gandcrab.e", "Ransom:win32/gandcrab.ae", "Win.trojan.5229994-1", "Mirai", "Alf:jasyp:trojandownloader:win32/karagany!atmn", "Downloader24.56470", "Unix.trojan.tsunami-6981155-0", "Dridex", "Alf:trojanspy:win32/keylogger", "Tel:html/malvertwindowresize", ", win.trojan.agent-1286703", "Win.trojan.tofsee-9770082-1", "Vbs/startpage.b", "Win32:dropperx-gen\\ [drp]", "Trojan" ], "industries": [ "Civil society", "Legal", "Finance - insurance sector", "Civilian society", "Finance", "Healthcare", "Technology", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 36, "pulses": [ { "id": "69b9380613f88eec31f8a2e6", "name": "What an odd registrant name. Who teaches here.. hmm", "description": ": Cambridge\nAdministrative country: United States\nAdministrative email: 775cc83f56a3b4e7s@mit.edu\nAdministrative state: MA\nBilling city: Cambridge\nBilling country: United States\nBilling email: 3c3d334158ebfea1s@mit.edu\nBilling state: MA\nCreate date: 1985-05-23 00:00:00\nDomain name: mit.edu\nDomain registrar id: 0.0\nDomain registrar url: whois.educause.edu\nExpiry date: 2026-07-31 00:00:00\nQuery time: 2026-01-15 06:12:15\nRegistrant address: 30df1aef753261ef\nRegistrant city: 85ce83927452d906\nRegistrant country: United States\nRegistrant name: c0a6a961a5aefb99\nRegistrant state: 36e414cc8874c746\nRegistrant zip: 077f5ed532d03f34\nTechnical city: Cambridge\nTechnical country: United States\nTechnical email: 3c3d334158ebfea1s@mit.edu\nTechnical state: MA\nUpdate date: 2026-01-15 00:00:00", "modified": "2026-04-16T12:28:09.524000", "created": "2026-03-17T11:16:22.723000", "tags": [ "united", "ma billing", "billing email", "billing state", "ma create", "domain", "expiry date", "registrant name", "technical email", "technical state" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 856, "email": 38, "hostname": 895, "FileHash-SHA1": 156, "FileHash-MD5": 157, "FileHash-SHA256": 1788, "URL": 489, "SSLCertFingerprint": 4 }, "indicator_count": 4383, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf28b12d7a596c87296dee", "name": "Free SAS US Based", "description": "All images are copyrighted. \u00c2\u00a9\u00a9 Getty Images, AP, EPA, Reuters, GettyImages, AFP and Reuters / Getty images, except for those who have not had access to them.", "modified": "2026-04-04T09:58:27.635000", "created": "2026-04-03T02:40:49.638000", "tags": [ "passive dns", "address", "creation date", "dnssec", "expiration date", "date", "present nov", "content type", "pulse pulses", "urls", "body", "m3u playlist", "playlist text", "unicode text", "utf8 text", "crlf line", "crlf", "lf line", "united", "billing email", "create date", "domain", "expiry date", "registrant name", "technical email", "update date", "code", "email", "server", "admin country", "registry domain", "registrar iana", "admin city", "country", "ripe ncc", "ripe network", "as12876 city", "abuse contact", "orgid", "orgtechhandle", "contact", "postalcode", "paris", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cnsectigo rsa", "secure server", "ca cgb", "subject public", "key info", "cgb stgreater", "ocomodo ca", "rsa domain", "server ca", "validity", "public key", "info", "key algorithm", "city", "proxad", "ville leveque", "proxad inetnum", "scaleway", "registry", "service", "as12876", "proxad ip", "technical sites", "as12876 network", "cleantalk 1", "database sites", "referenced", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 26, "domain": 103, "email": 7, "hostname": 30, "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 39, "CIDR": 2 }, "indicator_count": 227, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf28b065619c26e8aa9e13", "name": "Free SAS US Based", "description": "All images are copyrighted. \u00c2\u00a9\u00a9 Getty Images, AP, EPA, Reuters, GettyImages, AFP and Reuters / Getty images, except for those who have not had access to them.", "modified": "2026-04-04T09:58:26.925000", "created": "2026-04-03T02:40:48.466000", "tags": [ "passive dns", "address", "creation date", "dnssec", "expiration date", "date", "present nov", "content type", "pulse pulses", "urls", "body", "m3u playlist", "playlist text", "unicode text", "utf8 text", "crlf line", "crlf", "lf line", "united", "billing email", "create date", "domain", "expiry date", "registrant name", "technical email", "update date", "code", "email", "server", "admin country", "registry domain", "registrar iana", "admin city", "country", "ripe ncc", "ripe network", "as12876 city", "abuse contact", "orgid", "orgtechhandle", "contact", "postalcode", "paris", "algorithm", "key identifier", "x509v3 subject", "number", "issuer", "cnsectigo rsa", "secure server", "ca cgb", "subject public", "key info", "cgb stgreater", "ocomodo ca", "rsa domain", "server ca", "validity", "public key", "info", "key algorithm", "city", "proxad", "ville leveque", "proxad inetnum", "scaleway", "registry", "service", "as12876", "proxad ip", "technical sites", "as12876 network", "cleantalk 1", "database sites", "referenced", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "registrar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 27, "domain": 103, "email": 7, "hostname": 32, "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 40, "CIDR": 2 }, "indicator_count": 231, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8b5fe3394293df8d730ab", "name": "Great Service (intent to help reduce malware)", "description": "A malicious file has been found on the website of Deleteme.com, a website set up by a US-based company and run by the former president of the United States, Barack Obama.", "modified": "2026-04-03T23:13:53.390000", "created": "2026-03-04T22:45:18.393000", "tags": [ "united", "as13335", "unknown", "aaaa", "as14061", "as8075", "asnone country", "date", "cname", "united kingdom", "title", "body", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 104, "FileHash-SHA1": 2, "domain": 166, "hostname": 53, "FileHash-SHA256": 18, "email": 2 }, "indicator_count": 345, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a3be40a71473ad1e1ca24b", "name": "fastly.com", "description": "Indicators of conpromise for this domain", "modified": "2026-04-01T00:44:45.494000", "created": "2026-03-01T04:19:12.339000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 266, "CIDR": 2, "FileHash-MD5": 581, "FileHash-SHA1": 597, "FileHash-SHA256": 3442, "email": 14, "hostname": 224, "URL": 307, "CVE": 2 }, "indicator_count": 5435, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69458259401a612102d02679", "name": "NSO Group ( original pulse degraded by a delete service) ", "description": "", "modified": "2025-12-19T16:50:33.337000", "created": "2025-12-19T16:50:33.337000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66f55cdc8257c7fa223ed052", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "121 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f55cdc8257c7fa223ed052", "name": "NSO Group attacks Uptown Denver Neighborhood", "description": "Stems from 'hushed' cyber attack that lasted for several days in surrounding neighborhoods near (MSU) Metro State University. Pegasus spyware detected. The attack affected devices, bypassed credentials , passwords and compromised networks. Remedy: reset network multiple times. \n\nI'm not implying attack disseminates from MSU. \nSpectrum.com and Quantum Fiber Cyber Folks .PL related / MSU\nSoftware used \n\n\n\n \n*Cyber Folks .pl *https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "modified": "2024-10-26T12:05:43.885000", "created": "2024-09-26T13:08:44.341000", "tags": [ "iocs", "urls https", "generic malware", "analyzer threat", "url summary", "ip summary", "summary", "detection list", "luca stealer", "cisco umbrella", "site", "safe site", "heur", "malicious url", "alexa top", "malicious site", "malware site", "unsafe", "trojanx", "malware", "metastealer", "alexa", "dbatloader", "outbreak", "downloader", "blocker", "ransom", "autoit", "trojan", "irata", "allakore", "trojanspy", "hash", "ms windows", "pe32", "write c", "t1045", "show", "high", "search", "pe32 executable", "copy", "write", "win64", "scan endpoints", "all scoreblue", "filehash", "av detections", "ids detections", "yara detections", "alerts", "entries", "powershell", "mfc mfc", "united", "as54113", "as14061", "as9009 m247", "whitelisted", "status", "united kingdom", "name servers", "aaaa", "passive dns", "urls", "overview ip", "address", "related nids", "files location", "files domain", "files related", "pulses otx", "pulses", "as15133 verizon", "cname", "as16552 tiggee", "as20940", "domain", "as16625 akamai", "creation date", "body", "unknown", "ipv4", "softcnapp", "trojandropper", "epaeedpaer", "eoaee", "qaexedoae", "showing", "sha256", "strings", "august", "files", "main", "germany asn", "win32", "miner", "next", "asnone united", "moved", "as8987 amazon", "trojanproxy", "virtool", "yara rule", "formbook cnc", "checkin", "mtb aug", "a domains", "present sep", "twitter", "accept", "certificate", "record value", "dynamicloader", "medium", "dynamic", "network", "reads", "port", "anomaly", "overview domain", "tags", "related tags", "dns status", "hostname query", "type address", "first seen", "seen asn", "country unknown", "nxdomain", "a nxdomain", "as16276", "spain unknown", "meta name", "frame src", "ok set", "cookie", "gmt date", "encrypt", "hostname", "files ip", "address domain", "france", "emails", "aaaa fd00", "as16276 ovh", "poland", "contacted", "wine emulator", "ip address", "script urls", "date", "meta", "flag united", "url http", "pulse http", "http", "as8075", "robots content", "x ua", "ieedge chrome1", "incapsula", "servers", "expiration date", "sorry something", "gmt content", "canada unknown", "error", "backend", "france unknown", "alfper", "gmt contenttype", "apache", "exploit", "as15169 google", "wireless", "as23027 boingo", "pulse submit", "url analysis", "location united", "nso group", "pegasus spyware", "url indicator", "active created", "modified", "email", "nso", "germany", "pattern", "susp", "msil", "akamai", "gmt connection", "netherlands", "ovhfr", "ns nxdomain", "australia", "redacted for", "andariel group", "defense", "andariel", "check", "opera ua", "et trojan", "attempts", "april", "zbot", "possible zeus", "as140107 citis", "america asn", "as22612", "as397240", "as19527 google", "apple" ], "references": [ "https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "Andariel group \u00bb State-sponsored threat actor & Defense media", "IDS Detections: Possible Zbot Activity Common Download Struct Zbot Generic URI/Header Struct .bin", "Alerts: nids_malware_alert network_icmp dumped_buffer2 allocates_execute_remote_process", "Alerts: persistence_autorun creates_user_folder_exe injection_createremotethread", "Alerts: injection_modifies_memory injection_write_memory modifies_proxy_wpad packer_polymorphic self_delete_bat banker_zeus_p2p", "PWS:Win32/Zbot!CI: FileHash-SHA256 edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef", "Domains Contacted: crl.microsoft.com blackmarket.ogspy.net", "FileHash-SHA256 e5c584fdb2a3684a52edb41836436bb3d88221ffd3eb252516e1ca6dc879f8f9", "TrojanDownloader:Win32/Cutwail: IDS Detections: W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA Possible Zeus GameOver Connectivity Check 2", "NSO Group auto populated/relevant to research results. For several year we've seen evidence of Pegasus attacks on Americans.", "Apple:appleremotesupport.com | appleid.cdn-appme.com | appleid.cdn-aqple.com | www.ns1.bdn-apple.com", "Used as Apple IP's : 160.153.62.66 | 162.255.119.21 | 192.64.119.254", "Apple: ns2.usm87.siteground.biz | ns2.usm87.siteground.biz | Hostnme www.appleremotesupport.com" ], "public": 1, "adversary": "NSO", "targeted_countries": [ "United States of America", "Sweden", "Germany", "India", "United Kingdom of Great Britain and Northern Ireland", "France", "Spain", "Canada", "Singapore", "Japan", "Korea, Republic of", "Ireland", "Italy" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Trojan:Win64/CoinMiner.WE", "display_name": "Trojan:Win64/CoinMiner.WE", "target": "/malware/Trojan:Win64/CoinMiner.WE" }, { "id": "Trojan:Win32/SmokeLoader", "display_name": "Trojan:Win32/SmokeLoader", "target": "/malware/Trojan:Win32/SmokeLoader" }, { "id": "PWS:Win32/Zbot!CI", "display_name": "PWS:Win32/Zbot!CI", "target": "/malware/PWS:Win32/Zbot!CI" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1138", "name": "Application Shimming", "display_name": "T1138 - Application Shimming" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2852, "FileHash-SHA1": 2194, "FileHash-SHA256": 6649, "domain": 1881, "hostname": 1706, "URL": 553, "CVE": 3, "email": 25 }, "indicator_count": 15863, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "540 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "namequery.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "namequery.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776660848.1648839 }