{ "type": "Domain", "indicator": "o.map", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/o.map", "alexa": "http://www.alexa.com/siteinfo/o.map", "indicator": "o.map", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1205800244, "indicator": "o.map", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 37, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "659 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590412931fa8523e305795e", "name": "System Owner/User Discovery | Automobile CnC | HyunDAITX.COM", "description": "", "modified": "2024-01-29T15:00:34.177000", "created": "2023-12-30T16:11:21.071000", "tags": [ "remote cnc", "no expiration", "filehashsha256", "domain", "filehashsha1", "filehashmd5", "expiration", "iocs", "hostname", "ipv4", "scan endpoints", "next", "url http", "url https", "apple", "appleid", "icloud", "tsara brashears", "all octoseek", "create new", "pulse use", "pdf report", "debugger evasion", "evasive", "who's driving", "yaaa", "xobo", "writes data to a remote process", "widget", "win64", "waaa", "vt report", "ttl value", "uaaa", "united", "unknown", "urls url", "stealthyness", "critical", "accept", "address", "admin country", "baaa", "anti-detection", "as11042", "network ascii text", "network", "back", "black", "body length", "attack", "boolean", "silly", "bundled", "caaa", "caca", "caca4baaa", "cacf", "caea", "click", "close", "cobalt strike", "checkbox", "ck id", "ck matrix", "contacted", "copy", "creation date", "code", "comcast tmobile", "communicating", "contact", "historical ssl", "csc corporate", "date", "desktop", "dns replication", "domain related", "domains dropped", "elf wgetboat", "error", "execution", "factory", "false", "files", "final", "url", "first", "general", "getprocaddress", "green", "group", "headers", "hr rtd", "http response", "hybrid", "iana id", "id", "apple id", "import", "infor", "installation", "january", "kb body", "loader", "localappdata", "love", "major", "malicious", "metro", "mitre att", "model", "netlify", "netlify edge", "next", "trim", "null", "threat roundup", "tech email", "subdomains", "status code", "ssl certificate", "show technique span", "sha256", "serving ip", "open", "server", "override", "path", "pattern match", "payment", "pe resource", "persistence", "phonenumber", "record type", "referrer", "registrar abuse", "rust", "search" ], "references": [ "HyunDAITX.COM | Remote CnC of vehicle systems, connected devices. Critical", "https://www.virustotal.com/gui/domain/hyundaitx.com/summary", "https://hybrid-analysis.com/sample/235ae35db42acacf6bb9dbab1ca6392f67a60680275ec03f86866b7867db651f/65901471e396520cb3032621", "command_and_control 195.208.1.128 | 206.46.232.39", "drvtrd-widget.netlify.app/drivably-widget.js | drvtrd-widget.netlify.app/drivably.js | http://drvtrd-widget.netlify.app/drivably-widget.js", "https://www.virustotal.com/gui/url/87327571bc18df63df91ba61da25389eb32563074ccd640e2b15b2d38cf5b968/summary", "https://hybrid-analysis.com/sample/235ae35db42acacf6bb9dbab1ca6392f67a60680275ec03f86866b7867db651f/65901471e396520cb3032621", "appleid.com, apple.com, icloud.com", "https://blackbook.drivably.com | blackboxpedals.com", "car hacking | phone hacking | remote access & system control of entire system", "http://watchhers.net/index.php - remote attacks", "https://www.virustotal.com/gui/url/105e81bb8b366deb8e6b8849a7c61ebcff181fbc2e48347f5476d9e42b361b37/community", "pornhub.com - contextualizing, malvertizing, tagging, apple password crack", "https://www.virustotal.com/gui/url/105e81bb8b366deb8e6b8849a7c61ebcff181fbc2e48347f5476d9e42b361b37/community", "simple investigation shows Brashears historical family vehicles listed.", "elonmuskisafailure.com - tracker (yt3.ggpht.com tracker)", "www.youtube.com/watch?v=GyuMozsVyYs -tracking Tsara Brashears' SongCulture Youtube", "T1622 - Debugger Evasion", "T1218 - System Binary Proxy Execution", "Creates a process in suspended mode (likely for process injection" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 177, "FileHash-SHA256": 1078, "URL": 318, "domain": 511, "email": 4, "hostname": 520 }, "indicator_count": 2792, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099064c0c0aa442282397", "name": "http://www.xiazai99.com/down/soft9106.html", "description": "", "modified": "2023-12-06T15:53:42.077000", "created": "2023-12-06T15:53:42.077000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1040, "domain": 293, "FileHash-MD5": 58, "FileHash-SHA1": 56, "hostname": 809, "URL": 2661, "email": 1 }, "indicator_count": 4918, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c8a9635f156e79238f1", "name": "intel gained from a spam text", "description": "", "modified": "2023-12-06T15:00:26.727000", "created": "2023-12-06T15:00:26.727000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 823, "domain": 717, "URL": 2245, "hostname": 615, "email": 4, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 4411, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "959 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "959 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64766c71a5f740aaa9c915aa", "name": "miniwallet.bundle.js", "description": "confused cause hybrid scsn is clean", "modified": "2023-06-29T21:05:11.335000", "created": "2023-05-30T21:36:49.562000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "error", "runtime data", "highlight", "typeof e", "highlighttext", "windir", "graytext", "typeof symbol", "null", "date", "unknown", "path", "suspicious", "roboto", "meta", "4096", "span", "local", "scroll", "backspace", "insert", "this", "april", "hybrid", "model", "close", "click", "general", "strings", "team", "qakbot", "cookie" ], "references": [ "https://hybrid-analysis.com/sample/78a7e765ffd6dff7af3b92b6234271fd0dddf5945f38e70d0e22324c1ec06eca/64414afe0ebb5831a20ce8f0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "domain": 131, "URL": 23, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 5 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1024 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64766c6ffe0d936205c28197", "name": "miniwallet.bundle.js", "description": "confused cause hybrid scsn is clean", "modified": "2023-06-29T21:05:11.335000", "created": "2023-05-30T21:36:47.160000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "error", "runtime data", "highlight", "typeof e", "highlighttext", "windir", "graytext", "typeof symbol", "null", "date", "unknown", "path", "suspicious", "roboto", "meta", "4096", "span", "local", "scroll", "backspace", "insert", "this", "april", "hybrid", "model", "close", "click", "general", "strings", "team", "qakbot", "cookie" ], "references": [ "https://hybrid-analysis.com/sample/78a7e765ffd6dff7af3b92b6234271fd0dddf5945f38e70d0e22324c1ec06eca/64414afe0ebb5831a20ce8f0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "domain": 131, "URL": 23, "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 5 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1024 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646a95f39e8daebe35e0f804", "name": "WScript.exe PID: 3556, Report UID: 00000000-00003556 - File: shopping_iframe_driver.js", "description": "A full report on Microsoft's Windows operating system, compiled with the help of the Microsoft Office, has been published on the web site, and can now be viewed on Google or other sites, including Facebook.", "modified": "2023-05-21T22:06:43.655000", "created": "2023-05-21T22:06:43.655000", "tags": [ "size", "windows sha256", "sha1", "generator", "void", "ansi", "memoryfile scan", "runtime data", "typeerror", "date", "array", "typeof symbol", "symbol", "error", "null", "format", "windir", "open", "fileexecute", "filereaddata", "open c", "open path", "query path", "hkcuhkcuclsid", "key status", "treatas key", "progid key", "statusreparse", "instrument key", "enus status", "enabled status", "ldrgetdllhandle", "flags", "modulefilename", "modulehandle", "wininet", "iphlpapi", "urlmon", "shell32", "allocationsize", "shareaccess" ], "references": [ "WScript.exe PID: 3556, Report UID: 00000000-00003556 MD5: 979d74799ea6c8b8167869a68df5204a SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b API calls Registry Mutants Handles Modules Files AMSI New! Streams (0) Displaying the first 1000 logged API calls. The remaining 2905 entries are available in the full report, but download of the full report is disabled. Filter by 'Name': Show only failed: Showing 1 to 50 of 323 entries (filtered from 1,000 total entries) Name\tLogged Parame", "Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\ Key Status STATUS_REPARSE (104) Query\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\CWDILLEGALINDLLSEARCH Key CWDILLEGALINDLLSEARCH Status STATUS_OBJECT_NAME_NOT_FOUND (c0000034) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\\ Key Status STATUS_REPARSE (104) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\\ Key Status STATUS_OBJECT_NAME_NOT_FOUND (c0000034) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CON", "CREATE\t\\FileSystem\\Filters\\FltMgrMsg\tFILE_READ_DATA | FILE_WRITE_DATA OPEN\t%WINDIR%\\System32\\rpcss.dll\tFILE_READ_DATA OPEN\t%WINDIR%\\Temp\\VxOle32.dll\tFILE_GENERIC_READ OPEN\t%WINDIR%\\System32\\fltLib.dll\tFILE_READ_DATA | FILE_EXECUTE OPEN\t%WINDIR%\\System32\\api-ms-win-core-synch-l1-2-0.dll\tFILE_READ_DATA | FILE_EXECUTE OPEN\t%WINDIR%\\System32\\API-MS-WIN-CORE-FIBERS-L1-1-1.DLL\tFILE_READ_ATTRIBUTES OPEN\t%WINDIR%\\System32\\API-MS-WIN-CORE-LOCALIZATION-L1-2-1.DLL\tFILE_READ_ATTRIBUTES OPEN\t%WINDIR%\\System32\\cryptsp.dl", "Strings: {void 0===i&&(i=Promise);var a=new E(h(e,r,n,o),i);return t.isGeneratorFunction(r)?a:a.next().then((function(e){return e.done?e.value:a.next()}))},x(C),f(C,s,\"Generator\"),f(C,l,(function(){return this})),f(C,\"toString\",(function(){return\"[object Generator]\"})),t.keys=function(e){var t=Object(e),r=[];for(var n in t)r.push(n);return r.reverse(),function e(){for(;r.length;){var n=r.pop();if(n in t)return e.value=n,e.done=!1,e}return e.done=!0,e}},t.values=T,V.prototype={constructor:V,reset:function(e)", "Filename shopping_iframe_driver.js Size 25KiB (25396 bytes) Type script javascript Description ASCII text, with very long lines, with no line terminators Architecture WINDOWS SHA256 456369ffe3542bb3ab1288484cfb909820a76f35e4d635a8638baf44ac6d3028Copy SHA256 to clipboard MD5 cc536243135fcc90121aa984473c9a0cCopy MD5 to clipboard SHA1 6fd199ce4b5e85ba7b21188f13261c05a5f3e3c0Copy SHA1 to clipboard ssdeep 768:R+y0OL5zD+M6C5ywC5Xpe8JC5HGC5xjQxbxjiUar9E3LvjSrbcT+K:35HnoXpeFHdxjQxFjiUKG3LvjSrbcT+K", "https://www.hybrid-analysis.com/sample/456369ffe3542bb3ab1288484cfb909820a76f35e4d635a8638baf44ac6d3028/645f61989ff2aa158f07edae" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "domain": 18, "hostname": 23, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1063 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642db7b656049e54b2f71c20", "name": "masterkey.com.ua/download/MKClientSetup.exe - hybrid 100/100", "description": "The entire \"Ad\" eco system is compromised via all main channels , ie google, bing, msn etc utilising many top level domains and brands, its truly the biggest suppky chain attack ever known. So enormously thats its unbelievable and I guess many peeps just cant see it because its simply to overwhelming to consider a reality p plus many perhaps cant digest the advanced use of AI and self repairing neural networks along that are designed to work on standard default configs. its not till you step out of the defaults that you start to see nefariousness", "modified": "2023-05-05T16:00:23.366000", "created": "2023-04-05T18:02:30.403000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1080 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6428649b535c12c6f8d60b0b", "name": "http://www.xiazai99.com/down/soft9106.html", "description": "", "modified": "2023-05-01T15:05:10.466000", "created": "2023-04-01T17:06:35.022000", "tags": [ "chromeua", "ansi", "dropped file", "optout", "runtime data", "object", "drmedgeua", "optin", "edgeua", "unicode", "span", "error", "generator", "void", "path", "null", "entropy", "click", "template", "date", "unknown", "critical", "addressbar", "desktop", "dark", "light", "quicksearch", "this", "suspicious", "window", "legend", "hybrid", "hosts", "next", "main", "refresh", "hello", "voice", "malicious", "strings", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/45e147babe00d1834af72b2139dbc65043ee50cb09d1d4e470f9bd48ad50c6bf/64283fca3a07828f100b2551" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2661, "hostname": 809, "domain": 293, "FileHash-SHA256": 1040, "email": 1, "FileHash-MD5": 58, "FileHash-SHA1": 56 }, "indicator_count": 4918, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1084 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426dda295502d82e6e6ef7f", "name": "v4 - Hybrid scan uploaded + all suggested ioc's - vendor.3a0e728a.js another gem in edge on twitter.com/i/flow/login source code", "description": "WebpackChunk_Twitter-responsive_web is built on a single web address, which will allow users to upload images, tweets and videos to be stored in the same place as the hashtag.", "modified": "2023-03-31T13:18:26.733000", "created": "2023-03-31T13:18:26.733000", "tags": [ "trojan", "apt", "ansi", "memoryfile scan", "error", "runtime data", "typeof e", "regexp", "array", "object", "typeof t", "void", "null", "unknown", "path", "facebook", "4096", "suspicious", "meta", "lazy", "entity", "union", "body", "idkey", "scroll", "backspace", "insert", "roboto", "target", "stack", "hybrid", "model", "click", "stream", "strings", "qakbot", "pattern match", "ud801", "ud804", "ud805", "ud806", "ud81a", "ud835", "ud800", "ud802", "sha1", "sha256", "vendor.3a0e728a.js" ], "references": [ "https://hybrid-analysis.com/sample/9bf30967dfbf84d91ff4a1ca66dcd6c3383e679917e8b7aa4f659ff9f4e848d7/6426cf48655f94b6b303704c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1353, "hostname": 222, "domain": 221, "FileHash-SHA256": 85, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 1885, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1115 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426dd17695f7673d2dcee65", "name": "v3 Hybrid scan uploaded - vendor.3a0e728a.js another gem in edge on twitter.com/i/flow/login source code", "description": "WebpackChunk_Twitter-responsive_web is built on a single web address, which will allow users to upload images, tweets and videos to be stored in the same place as the hashtag.", "modified": "2023-03-31T13:16:07.144000", "created": "2023-03-31T13:16:07.144000", "tags": [ "trojan", "apt", "ansi", "memoryfile scan", "error", "runtime data", "typeof e", "regexp", "array", "object", "typeof t", "void", "null", "unknown", "path", "facebook", "4096", "suspicious", "meta", "lazy", "entity", "union", "body", "idkey", "scroll", "backspace", "insert", "roboto", "target", "stack", "hybrid", "model", "click", "stream", "strings", "qakbot", "pattern match", "ud801", "ud804", "ud805", "ud806", "ud81a", "ud835", "ud800", "ud802", "sha1", "sha256", "vendor.3a0e728a.js" ], "references": [ "https://hybrid-analysis.com/sample/9bf30967dfbf84d91ff4a1ca66dcd6c3383e679917e8b7aa4f659ff9f4e848d7/6426cf48655f94b6b303704c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 43, "domain": 193, "URL": 64, "FileHash-SHA256": 85, "FileHash-MD5": 3, "FileHash-SHA1": 1 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1115 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642620d51d298e5a95b15599", "name": "api.3f94642a.js via source of twitter login page using edge browser latest version 111.", "description": "WebpackChunk_Twitter-responsive-web=webpack chunks, as well as its own webpack, to create a single \"bundle\" for all of the sites.", "modified": "2023-03-31T00:06:55.719000", "created": "2023-03-30T23:52:53.828000", "tags": [ "malware", "vxstream", "trojan", "ansi", "memoryfile scan", "scalarfield", "linkedfield", "runtime data", "requiredfield", "throw", "user", "apiuser", "error", "path", "slice", "date", "suspicious", "unknown", "stats", "bouncer", "hybrid", "model", "close", "click", "general", "strings", "malicious", "qakbot" ], "references": [ "https://hybrid-analysis.com/sample/31ab3088c37fe023e4e38296f7083905a64aa3b77c94735815f89906418d2926/642613dabe4297d3b60d91be", "twitter.com/i/flow/login" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 322, "hostname": 61, "domain": 105, "FileHash-SHA256": 24, "FileHash-MD5": 11, "FileHash-SHA1": 2 }, "indicator_count": 525, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1115 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ed8628367c1a4f3f8e773a", "name": "just a load of errors on edge watching twitch", "description": "load of unknown user pics, but that could just be a twitch thing", "modified": "2023-03-18T00:05:45.328000", "created": "2023-02-16T01:26:00.959000", "tags": [ "object", "typeerror", "typeof symbol", "error", "typeof t", "array", "string", "typeof e", "typeof n", "referenceerror", "date", "body", "null", "local", "generator", "class", "typeof tcfapi", "tcfapi", "daten", "image", "typeof comscore", "true", "regexp", "config", "nolbundle", "novmsjs", "nlssdk", "retry request", "nolsdkbundle", "typeof o", "bsdk check", "optout", "basever", "lsid", "qqfunction", "nielsen log", "info", "stop", "logger", "android", "donate", "ukraine relief", "requestbuilder", "slotbuilder", "uint8array", "nthis", "promise", "symbol", "fullscreen", "adload", "false", "facebook", "unknown", "meta", "direct", "this", "close", "locale", "model", "survey", "companion", "scroll", "backspace", "insert", "infinity", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "path", "hybrid analysis", "api call", "registry access", "function", "calls", "window", "hybrid", "general", "click", "ransomware", "february", "strings", "suspicious", "irequestslot", "islotbuilder", "amazonerrorcode", "errortype", "adunit", "conflict", "please" ], "references": [ "https://hybrid-analysis.com/sample/5da0de230eb98e5598b152944d0e7e6b355485484052df6c7f1c747e2c5564c0/63ed708125f47738b45a6520", "webpack buildin global.js", "SlotBuilder.ts", "P34D56F9D-5684-4C83-8EE1-5EA7DE9CF45D.js", "apstag.js", "nlsSDK600.bundle.min.js", "v6s.js", "https://sb.scorecardresearch.com/p?c1=2&c2=6745306&ns_type=hidden&ns_st_sv=5.1.3.160420&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1676508021004&ns_st_ec=3&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=1560430&ns_st_cl=0&ns_st_hc=31&ns_st_mp=js_api&ns_st_mv=5.1.3.160420&ns_st_pn=1&ns_st_tp=0&ns_st_ci=47976339133&ns_st_pt=1560430&ns_st_dpt=360423&ns_st_ipt=60010&ns_st_et=1560430&ns_st_det=360423&ns_st_upc=1560430&ns_st_dupc=360423&ns_st_iupc=60010&ns_st_upa=15604", "https://sb.scorecardresearch.com/p?ax_uuid=d247c6142f285bb0488533aa7f2d53c5&c1=9&c2=31864766&ns__t=1676508027511&ns_c=UTF-8&cv=3.1&c8=SecurityWeekly%20-%20Twitch&c7=https%3A%2F%2Fwww.twitch.tv%2Fsecurityweekly&c9=", "https://hybrid-analysis.com/sample/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/", "beacon.js", "https://static-cdn.jtvnw.net/jtv_user_pictures/6f4129f6-3750-4c02-b7c8-c88a05064129-profile_image-70x70.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlotBuilder", "display_name": "SlotBuilder", "target": null }, { "id": "RequestBuilder", "display_name": "RequestBuilder", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1353, "hostname": 363, "domain": 201, "FileHash-SHA256": 203, "FileHash-MD5": 9, "FileHash-SHA1": 3 }, "indicator_count": 2132, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ed86228ecb2b03d35b046f", "name": "just a load of errors on edge watching twitch", "description": "load of unknown user pics, but that could just be a twitch thing", "modified": "2023-03-18T00:05:45.328000", "created": "2023-02-16T01:25:54.305000", "tags": [ "object", "typeerror", "typeof symbol", "error", "typeof t", "array", "string", "typeof e", "typeof n", "referenceerror", "date", "body", "null", "local", "generator", "class", "typeof tcfapi", "tcfapi", "daten", "image", "typeof comscore", "true", "regexp", "config", "nolbundle", "novmsjs", "nlssdk", "retry request", "nolsdkbundle", "typeof o", "bsdk check", "optout", "basever", "lsid", "qqfunction", "nielsen log", "info", "stop", "logger", "android", "donate", "ukraine relief", "requestbuilder", "slotbuilder", "uint8array", "nthis", "promise", "symbol", "fullscreen", "adload", "false", "facebook", "unknown", "meta", "direct", "this", "close", "locale", "model", "survey", "companion", "scroll", "backspace", "insert", "infinity", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "path", "hybrid analysis", "api call", "registry access", "function", "calls", "window", "hybrid", "general", "click", "ransomware", "february", "strings", "suspicious", "irequestslot", "islotbuilder", "amazonerrorcode", "errortype", "adunit", "conflict", "please" ], "references": [ "https://hybrid-analysis.com/sample/5da0de230eb98e5598b152944d0e7e6b355485484052df6c7f1c747e2c5564c0/63ed708125f47738b45a6520", "webpack buildin global.js", "SlotBuilder.ts", "P34D56F9D-5684-4C83-8EE1-5EA7DE9CF45D.js", "apstag.js", "nlsSDK600.bundle.min.js", "v6s.js", "https://sb.scorecardresearch.com/p?c1=2&c2=6745306&ns_type=hidden&ns_st_sv=5.1.3.160420&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1676508021004&ns_st_ec=3&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=1560430&ns_st_cl=0&ns_st_hc=31&ns_st_mp=js_api&ns_st_mv=5.1.3.160420&ns_st_pn=1&ns_st_tp=0&ns_st_ci=47976339133&ns_st_pt=1560430&ns_st_dpt=360423&ns_st_ipt=60010&ns_st_et=1560430&ns_st_det=360423&ns_st_upc=1560430&ns_st_dupc=360423&ns_st_iupc=60010&ns_st_upa=15604", "https://sb.scorecardresearch.com/p?ax_uuid=d247c6142f285bb0488533aa7f2d53c5&c1=9&c2=31864766&ns__t=1676508027511&ns_c=UTF-8&cv=3.1&c8=SecurityWeekly%20-%20Twitch&c7=https%3A%2F%2Fwww.twitch.tv%2Fsecurityweekly&c9=", "https://hybrid-analysis.com/sample/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/", "beacon.js", "https://static-cdn.jtvnw.net/jtv_user_pictures/6f4129f6-3750-4c02-b7c8-c88a05064129-profile_image-70x70.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlotBuilder", "display_name": "SlotBuilder", "target": null }, { "id": "RequestBuilder", "display_name": "RequestBuilder", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1353, "hostname": 363, "domain": 201, "FileHash-SHA256": 203, "FileHash-MD5": 9, "FileHash-SHA1": 3 }, "indicator_count": 2132, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a3b9aaaca8891186e6f7a2", "name": "vt errors on edge 21 dec 2022", "description": "var n-i,n-n, r.test, is a new type of webpack, which uses a set of rules to store data in the form of a single address, or code.", "modified": "2023-01-21T00:01:41.590000", "created": "2022-12-22T01:58:02.495000", "tags": [ "eaca", "eace", "iaca", "iace", "boolean", "object", "path", "aacf", "customevent", "string", "span", "error", "code", "virustotal", "date", "null", "contact", "blank", "close", "twitter", "unknown", "download", "this", "easy", "desktop", "body", "requires", "footer", "refresh", "patch", "write", "cobalt strike", "shell", "zero", "harmless", "main", "aalfe", "getclass", "copy", "iframe", "divi", "roboto", "insert", "template", "class", "void", "form", "back", "ransomware", "trace", "comment", "tools", "premium", "bufferwriter", "bufferreader", "array", "typeerror", "vtuibutton", "number", "typeof o", "urls", "please", "javascript", "https://www.virustotal.com/gui/vt-ui-sw-installer.e0eb1a1e08d651", "https://www.virustotal.com/gui/main.900e36f7a852b9863014.js" ], "references": [ "https://www.virustotal.com/gui/vt-ui-sw-installer.e0eb1a1e08d6512ba355.js/ Depreciated", "https://www.virustotal.com/gui/main.900e36f7a852b9863014.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BufferReader", "display_name": "BufferReader", "target": null }, { "id": "BufferWriter", "display_name": "BufferWriter", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1051, "FileHash-SHA256": 204, "hostname": 275, "domain": 212, "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 1745, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62844b9aeadcab773b3eb51a", "name": "DATAHATA - data-xata", "description": "ChunkLoadError, a new type of error, failed to load a chunk of JavaScript, according to the web browser operator, E.noconflict.com, as well as the website itself.", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-18T01:27:54.809000", "tags": [ "zendesk", "integration", "offline form", "routing website", "acquire", "english", "chatsupport", "livechat", "genesys dx", "drift", "live", "chat", "android", "contact", "twitter", "facebook", "fast", "enterprise", "small", "demo", "leave", "premium", "easy", "robin", "tbody", "span", "jost", "object", "thead", "tfoot", "typecheckbox", "typeradio", "typeof content", "array", "error", "footer", "nuxtlink", "combo", "cookie", "please", "cancel", "email", "zendesk chat", "sorry", "back", "name", "function", "document", "click", "close", "null", "hello", "noraid", "datav57c71c16", "raid0", "raid1", "raid5", "raid6", "raid10", "republic", "islands", "rating", "guinea", "reviewstab", "samoa", "china", "congo", "korea", "united", "albania", "armenia", "belarus", "chad", "cuba", "indonesia", "mexico", "panama", "paraguay", "slovakia", "ukraine", "uruguay", "bitcoin", "script", "date", "scroll", "mousemove", "touchstart", "setaccount", "trackpageview", "textjavascript", "datalayer", "gtmngp6lxc", "number", "string", "trackevent", "click button", "copyright", "host", "path", "order", "typeerror", "typeof symbol", "typeof e", "typeof t", "referenceerror", "promise", "boolean", "typeof n" ], "references": [ "https://www.googletagmanager.com/gtm.js?id=GTM-NGP6LXC", "https://www.data-xata.com/js/zopimlaunch.js", "https://www.data-xata.com/_nuxt/1e8744d.modern.js", "https://www.data-xata.com/_nuxt/65d6cfa.modern.js", "https://www.data-xata.com/_nuxt/b799d37.modern.js", "https://www.data-xata.com/_nuxt/e7424e3.js", "xfe-URL-Data-xata.com-stix2-2.1-export.json", "https://zopim.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "E-Commerce" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 329, "URL": 968, "FileHash-SHA256": 245, "domain": 241, "FileHash-MD5": 1, "email": 1 }, "indicator_count": 1785, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62751d6e20ce7971fe122760", "name": "layerhost.com", "description": "function ra(a,b,c,d,e,f, a new type of node, which can only be defined by its own type, is the same as its current type.", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T13:06:54.626000", "tags": [ "typeerror", "function", "string", "urlsearchparams", "array", "object", "typeof t", "incorrect", "boolean", "iterator", "target", "error", "typeof o", "date", "typeof symbol", "window", "promise", "iere", "typeof ne", "null", "body", "this", "regexp", "please", "blob", "matomo", "post", "javascript", "link", "license", "info", "campaigns", "storagetest", "typeof json", "sufeffxa0", "typeof c", "document", "invalid attempt", "chat", "search", "language", "feel", "file", "call", "strongstart", "address", "again", "attrs", "cparseint", "dparseint", "bparseint", "9999px", "fparseint", "eparseint", "bnull", "gparseint", "iparseint", "blank", "trident", "fixedpos", "fixedheader", "click", "rotate", "dataslider", "eventtarget", "basicstructure", "moztransition", "gthis", "preventdefault", "bthis", "regexcss", "xthis", "true", "filterizr api", "filterizr", "value", "ease", "steps", "idle", "classcallcheck", "reveal", "init", "drilldown", "dropdown", "dropdownmenu", "orbit", "slider", "burn", "sticky", "keyboard", "eventkey", "apple cmd", "mapping", "mouse", "input", "cache", "button", "checkbox", "shift", "typeof b", "pseudo", "child", "class", "attr", "void", "secure", "result" ], "references": [ "xfe-IP-134.73.11.118-stix2-2.1-export.json", "xfe-URL-Powr.io-stix2-2.1-export 2.json", "xfe-URL-Layerhost.com-stix2-2.1-export.json", "xfe-URL-https___www.gandi.net-stix2-2.1-export.json", "https://www.powr.io/powr.js?platform=html", "https://www.layerhost.com/assets/js/vendor/jquery.min.js", "https://www.layerhost.com/assets/js/vendor/what-input.js", "https://www.layerhost.com/assets/js/vendor/foundation.min.js", "https://www.layerhost.com/assets/js/jquery.filterizr.min.js", "https://www.layerhost.com/assets/js/yui.js", "https://www.layerhost.com/assets/js/app.js", "https://www.layerhost.com/assets/js/slider.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/languages/en.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0d2b7c.js", "https://tag.aticdn.net/616708/smarttag.js", "https://analytics.gandi.net/piwik.js", "https://www.gandi.net/static/js/modern.27ee934b0dc5.js", "https://www.gandi.net/static/js/legacy.7cc648e3ff7a.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EventTarget", "display_name": "EventTarget", "target": null }, { "id": "Filterizr API", "display_name": "Filterizr API", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 350, "URL": 2035, "hostname": 718, "FileHash-SHA256": 355, "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 3461, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6266f7e0e0264cba210a4e9e", "name": "intel gained from a spam text", "description": "var b[f]=g, if b(f) is not allowed to reach its maximum by the end of a set, then a.b(b) will be able to do so at the same time as a", "modified": "2022-05-25T00:04:03.622000", "created": "2022-04-25T19:34:56.772000", "tags": [ "array", "typeerror", "symbol", "null", "string", "iterator", "object", "error", "boolean", "function", "service", "date", "phonenumber", "facebook", "meta", "typeof e", "typeof u", "typeof window", "es modules", "use esm", "webkit", "component", "typeof", "typeof y", "typeof symbol", "suspense", "context", "forwardref", "unknown", "4096", "typeof n", "promise", "weakmap", "dataview", "typeof t", "webpackrequire", "modulenotfound", "e1342177279", "array int8array", "loanup", "insurance", "group", "health", "solutions", "policy", "site", "america", "company", "life", "plan", "direct", "media", "alliance", "click", "team", "never", "advantage", "general", "light", "february", "april", "june", "august", "footer", "protect", "banker", "explorer", "fast", "martin", "union", "carrier", "next", "colony", "energy", "empire", "gerber", "philadelphia", "hippo", "king", "agent", "mercury", "moss", "premium", "nextgen", "oscar", "phoenix", "loans", "pure", "ramsey", "ranger", "solar", "titan", "tristate", "viking", "easy", "push", "code", "stop", "carriers", "live", "lucky", "moral", "story", "back", "lfunction", "dfunction", "cfunction", "typeof self", "number", "copyright", "closure library", "xdfunction", "cdfunction", "ddfunction", "bded", "kefunction", "reduceright", "gj9pcw0f6jv", "regexp", "r420", "uint8array", "typeof d", "void" ], "references": [ "https://www.googletagmanager.com/gtag/js?id=G-J9PCW0F6JV", "https://www.googletagmanager.com/gtag/js?id=UA-185991747-1", "https://insurancerateusa.com/polyfill-036b4a134d8725752ba0.js", "xfe-URL-insurancerateusa.com-stix2-2.1-export.json", "https://insurancerateusa.com/app-74647f151b541f3098c2.js", "https://insurancerateusa.com/bfcc7b67-0b189ba6da3fc3ae8b88.js", "https://insurancerateusa.com/94297995-69529ad7536f090aa776.js", "https://insurancerateusa.com/3bea8d40-8926f4790c0b3689a361.js", "https://insurancerateusa.com/framework-19eddc0d879a49dfe606.js", "https://insurancerateusa.com/webpack-runtime-f014a3267add02a94afb.js", "https://connect.facebook.net/signals/config/3689470801106673?v=2.9.57&r=stable" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 615, "URL": 2246, "FileHash-SHA256": 823, "domain": 717, "CVE": 1, "email": 4, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626224efc28c918470fa07ed", "name": "inflect.com - malware", "description": "var e,t, r.o, is a new type of code, which can be used to build a website, but can't do so without a special code.. and the following:", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-22T03:45:51.681000", "tags": [ "object", "typeof symbol", "typeerror", "html", "body", "software", "pops", "width", "error", "provider", "null", "code", "trident", "trcomponent", "typeof t", "referenceerror", "component", "date", "array", "header", "contact", "backspace", "next", "footer", "copy", "february", "april", "june", "august", "open", "project", "this", "unknown", "heapdeps", "number", "hki3", "ogr1", "function", "regexp", "typeof self", "typeof", "facebook pixel", "pixel code", "symbol", "iterator", "constantvalue", "globalvariable", "facebook", "string", "boolean", "service", "phonenumber", "meta", "typeof e", "sesprops", "nthis", "href", "image", "input", "class", "logger", "download", "target", "form", "push" ], "references": [ "xfe-URL-inflect.com-stix2-2.1-export.json", "https://cdn.heapanalytics.com/js/heap-2001511295.js", "https://connect.facebook.net/signals/config/534474930374151?v=2.9.57&r=stable", "https://connect.facebook.net/en_US/fbevents.js", "https://cdn.segment.com/next-integrations/integrations/vendor/commons.54701049fd6fb8497e9e.js.gz", "https://cdn.segment.com/next-integrations/integrations/heap/2.1.2/heap.dynamic.js.gz", "https://storage.googleapis.com/inflect-frontend-assets/adb460de2098568d4c3580de1fde2f6690bcbd04/_next/static/s0TytVz2d0zNgb~bjg~~D/pages/search.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrComponent", "display_name": "TrComponent", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1064, "FileHash-SHA256": 222, "hostname": 162, "domain": 294 }, "indicator_count": 1742, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261f2763fabd1214a79f0e5", "name": "Masterhost.ru - malware hosting", "description": "Here is the code-decode for the punycode-overflow test, which is based on the results of the following test-run by the UK's Office of National Statistics (ONS).", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-22T00:10:30.250000", "tags": [ "fffe37", "b76810", "helvetica", "arial", "pf din", "text comp", "circe", "span", "button", "90deg", "object", "typeof t", "date", "promise", "function", "array", "regexp", "error", "typeof symbol", "typeof n", "null", "backspace", "void", "window", "vd", "gc", "typeof e", "sufeffxa0", "class", "attr", "pseudo", "child", "typeof module", "string", "weakmap", "proxy", "number", "boolean", "trnf", "keepalive", "transitiongroup", "hello", "comment", "infinity", "this", "copyright", "closure library", "xdfunction", "cdfunction", "ddfunction", "bded", "kefunction", "65535", "counter", "typeof c", "segoe ui", "typeerror", "lucida", "vwtabguid", "form", "impact", "light", "cureit", "bu durumda", "ip address", "devam", "yandex", "help section", "captcha code", "support service", "search", "edge", "swhealthlog", "logsdatabasev2", "trident", "android", "rangeerror", "webpackexports", "illegal input", "webpackrequire" ], "references": [ "https://admin.verbox.ru/support/support.js?h=afe80d31a1cabd6ae5c00580688f27d2", "https://www.youtube.com/s/player/534c466c/www-widgetapi.vflset/www-widgetapi.js", "https://site.yandex.net/v2.0/js/all.js", "https://mc.yandex.ru/metrika/tag.js", "https://www.googletagmanager.com/gtag/js?id=UA-36935570-1", "https://masterhost.ru/s/masterhost_v2/build/js/app.js?v=WivgGVzt/Ynv", "https://masterhost.ru/s/masterhost_v2/build/js/compiled.min.js?v=Q/hhNATxy3sx", "https://static.me-talk.ru/cabinet/build/chat/modern.support.js", "https://masterhost.ru/s/masterhost_v2/build/css/global.css?v=MUmvaY06hvKf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1991, "hostname": 678, "FileHash-SHA256": 247, "domain": 404, "email": 1, "FileHash-MD5": 51 }, "indicator_count": 3372, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624de06b6d7b6fb1caada56a", "name": "\u542b\u7f9e\u8349\u7814\u7a76\u6240|Fi11.com", "description": "var a,b,c,d, f.substr(d),a=f, a.href, and a number of other elements:a.b.search.com.", "modified": "2022-05-06T18:05:54.002000", "created": "2022-04-06T18:48:11.932000", "tags": [ "date", "cnzzdata", "czuuid", "umdistinctid", "toast", "android", "androidig", "linuxig", "iphoneipodiosig", "ipadig", "windows", "alert", "image", "object", "boolean", "error", "typeof t", "number", "67108863", "string", "typeerror", "array", "promise", "null", "this", "unknown", "write", "iframe", "window", "backspace", "body", "verify", "fullscreen", "copyright", "closure library", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction" ], "references": [ "xfe-IP-137.220.241.241-stix2-2.0-export.json", "https://h5.hxcpp100.com/?id=22929", "https://www.google-analytics.com/analytics.js", "https://h5.hxcpp100.com/js/linkChange.js", "https://imgs.qgddmy.com/static_h5/js/manifest.2ae2e69a05c33dfc65f8.js", "https://imgs.qgddmy.com/static_h5/js/vendor.4071e145e4ea91fa5ab1.js", "http://push.zhanzhang.baidu.com/push.js", "https://js.users.51.la/21185805.js", "https://www.hxcpp100.com/js/linkChange.js", "https://c.cnzz.com/core.php?web_id=1280798474&t=z", "https://s9.cnzz.com/z_stat.php?id=1280743953&web_id=1280743953" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 981, "hostname": 279, "domain": 202, "FileHash-SHA256": 73, "CVE": 1 }, "indicator_count": 1536, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624de0699b9516c5c53a4c60", "name": "\u542b\u7f9e\u8349\u7814\u7a76\u6240|Fi11.com", "description": "var a,b,c,d, f.substr(d),a=f, a.href, and a number of other elements:a.b.search.com.", "modified": "2022-05-06T18:05:54.002000", "created": "2022-04-06T18:48:09.891000", "tags": [ "date", "cnzzdata", "czuuid", "umdistinctid", "toast", "android", "androidig", "linuxig", "iphoneipodiosig", "ipadig", "windows", "alert", "image", "object", "boolean", "error", "typeof t", "number", "67108863", "string", "typeerror", "array", "promise", "null", "this", "unknown", "write", "iframe", "window", "backspace", "body", "verify", "fullscreen", "copyright", "closure library", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction" ], "references": [ "xfe-IP-137.220.241.241-stix2-2.0-export.json", "https://h5.hxcpp100.com/?id=22929", "https://www.google-analytics.com/analytics.js", "https://h5.hxcpp100.com/js/linkChange.js", "https://imgs.qgddmy.com/static_h5/js/manifest.2ae2e69a05c33dfc65f8.js", "https://imgs.qgddmy.com/static_h5/js/vendor.4071e145e4ea91fa5ab1.js", "http://push.zhanzhang.baidu.com/push.js", "https://js.users.51.la/21185805.js", "https://www.hxcpp100.com/js/linkChange.js", "https://c.cnzz.com/core.php?web_id=1280798474&t=z", "https://s9.cnzz.com/z_stat.php?id=1280743953&web_id=1280743953" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 981, "hostname": 279, "domain": 202, "FileHash-SHA256": 73, "CVE": 1 }, "indicator_count": 1536, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624de05d2c58343224615255", "name": "\u542b\u7f9e\u8349\u7814\u7a76\u6240|Fi11.com", "description": "var a,b,c,d, f.substr(d),a=f, a.href, and a number of other elements:a.b.search.com.", "modified": "2022-05-06T18:05:54.002000", "created": "2022-04-06T18:47:57.704000", "tags": [ "date", "cnzzdata", "czuuid", "umdistinctid", "toast", "android", "androidig", "linuxig", "iphoneipodiosig", "ipadig", "windows", "alert", "image", "object", "boolean", "error", "typeof t", "number", "67108863", "string", "typeerror", "array", "promise", "null", "this", "unknown", "write", "iframe", "window", "backspace", "body", "verify", "fullscreen", "copyright", "closure library", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction" ], "references": [ "xfe-IP-137.220.241.241-stix2-2.0-export.json", "https://h5.hxcpp100.com/?id=22929", "https://www.google-analytics.com/analytics.js", "https://h5.hxcpp100.com/js/linkChange.js", "https://imgs.qgddmy.com/static_h5/js/manifest.2ae2e69a05c33dfc65f8.js", "https://imgs.qgddmy.com/static_h5/js/vendor.4071e145e4ea91fa5ab1.js", "http://push.zhanzhang.baidu.com/push.js", "https://js.users.51.la/21185805.js", "https://www.hxcpp100.com/js/linkChange.js", "https://c.cnzz.com/core.php?web_id=1280798474&t=z", "https://s9.cnzz.com/z_stat.php?id=1280743953&web_id=1280743953" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 981, "hostname": 279, "domain": 202, "FileHash-SHA256": 73, "CVE": 1 }, "indicator_count": 1536, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1443 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6249afa504d9fb8ce09eb0df", "name": "\u5fc5\u535a\u4f53\u80b2-botnet", "description": "A-word-split-by-words, a-single-sigBytes, is an extension of the word-stringing system used by the BBC to create the words in the English language.", "modified": "2022-04-03T14:31:01.201000", "created": "2022-04-03T14:31:01.201000", "tags": [ "object", "function", "kefuheader", "kefufooter", "scoremodal", "error404", "date", "mmdd hh", "chat", "aobject", "javascript", "please", "strong", "datav1e1730b8", "emoji", "helvetica", "arial", "datavce814536", "noto color", "apple color", "segoe ui", "datav5edb4000", "datav6d25583c", "promise", "error", "array", "name", "regexp", "uint8array", "string", "typeerror", "null", "this", "void", "internal", "patch", "target", "4096", "6144", "4112", "light", "dark", "generator", "infinity", "shutdown", "direct" ], "references": [ "https://ejp3z5.com/h5/js/chunk-vendors.0903293f.js", "https://ejp3z5.com/h5/js/app.71cd3a66.js", "https://ejp3z5.com/h5/css/app.61c96454.css", "http://bibo113.com/", "https://ejp3z5.com/#/?business_id=66&access_key=3532E209E7051ED50C08BF7D92C3FC44" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 113, "URL": 665, "hostname": 145, "FileHash-SHA256": 40, "email": 1 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1477 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "appleread.net", "https://analytics.gandi.net/piwik.js", "https://www.hxcpp100.com/js/linkChange.js", "https://www.gandi.net/static/js/legacy.7cc648e3ff7a.js", "https://www.layerhost.com/assets/js/app.js", "https://www.googletagmanager.com/gtag/js?id=G-J9PCW0F6JV", "https://www.hybrid-analysis.com/sample/456369ffe3542bb3ab1288484cfb909820a76f35e4d635a8638baf44ac6d3028/645f61989ff2aa158f07edae", "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d", "https://insurancerateusa.com/polyfill-036b4a134d8725752ba0.js", "https://h5.hxcpp100.com/js/linkChange.js", "beacon.js", "https://hybrid-analysis.com/sample/235ae35db42acacf6bb9dbab1ca6392f67a60680275ec03f86866b7867db651f/65901471e396520cb3032621", "twitter.com/i/flow/login", "xfe-IP-137.220.241.241-stix2-2.0-export.json", "https://c.cnzz.com/core.php?web_id=1280798474&t=z", "https://insurancerateusa.com/3bea8d40-8926f4790c0b3689a361.js", "https://connect.facebook.net/signals/config/534474930374151?v=2.9.57&r=stable", "http://watchhers.net/index.php - remote attacks", "https://masterhost.ru/s/masterhost_v2/build/css/global.css?v=MUmvaY06hvKf", "https://www.data-xata.com/_nuxt/e7424e3.js", "https://connect.facebook.net/en_US/fbevents.js", "https://www.data-xata.com/_nuxt/b799d37.modern.js", "https://hybrid-analysis.com/sample/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/", "simple investigation shows Brashears historical family vehicles listed.", "www.youtube.com/watch?v=GyuMozsVyYs -tracking Tsara Brashears' SongCulture Youtube", "https://hybrid-analysis.com/sample/9bf30967dfbf84d91ff4a1ca66dcd6c3383e679917e8b7aa4f659ff9f4e848d7/6426cf48655f94b6b303704c", "SlotBuilder.ts", "https://www.googletagmanager.com/gtm.js?id=GTM-NGP6LXC", "https://hybrid-analysis.com/sample/31ab3088c37fe023e4e38296f7083905a64aa3b77c94735815f89906418d2926/642613dabe4297d3b60d91be", "xfe-URL-insurancerateusa.com-stix2-2.1-export.json", "https://hybrid-analysis.com/sample/45e147babe00d1834af72b2139dbc65043ee50cb09d1d4e470f9bd48ad50c6bf/64283fca3a07828f100b2551", "https://hybrid-analysis.com/sample/5da0de230eb98e5598b152944d0e7e6b355485484052df6c7f1c747e2c5564c0/63ed708125f47738b45a6520", "https://insurancerateusa.com/bfcc7b67-0b189ba6da3fc3ae8b88.js", "https://ejp3z5.com/h5/js/app.71cd3a66.js", "https://masterhost.ru/s/masterhost_v2/build/js/compiled.min.js?v=Q/hhNATxy3sx", "https://www.virustotal.com/gui/url/105e81bb8b366deb8e6b8849a7c61ebcff181fbc2e48347f5476d9e42b361b37/community", "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap", "elonmuskisafailure.com - tracker (yt3.ggpht.com tracker)", "https://s9.cnzz.com/z_stat.php?id=1280743953&web_id=1280743953", "https://tag.aticdn.net/616708/smarttag.js", "This area is swarming with PI's (his , hers and theirs)", "http://push.zhanzhang.baidu.com/push.js", "HyunDAITX.COM | Remote CnC of vehicle systems, connected devices. Critical", "xfe-URL-Powr.io-stix2-2.1-export 2.json", "T1622 - Debugger Evasion", "https://imgs.qgddmy.com/static_h5/js/manifest.2ae2e69a05c33dfc65f8.js", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "https://h5.hxcpp100.com/?id=22929", "Pool Closed", "https://js.users.51.la/21185805.js", "xfe-URL-Layerhost.com-stix2-2.1-export.json", "https://www.virustotal.com/gui/vt-ui-sw-installer.e0eb1a1e08d6512ba355.js/ Depreciated", "https://insurancerateusa.com/framework-19eddc0d879a49dfe606.js", "https://www.data-xata.com/_nuxt/65d6cfa.modern.js", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "CREATE\t\\FileSystem\\Filters\\FltMgrMsg\tFILE_READ_DATA | FILE_WRITE_DATA OPEN\t%WINDIR%\\System32\\rpcss.dll\tFILE_READ_DATA OPEN\t%WINDIR%\\Temp\\VxOle32.dll\tFILE_GENERIC_READ OPEN\t%WINDIR%\\System32\\fltLib.dll\tFILE_READ_DATA | FILE_EXECUTE OPEN\t%WINDIR%\\System32\\api-ms-win-core-synch-l1-2-0.dll\tFILE_READ_DATA | FILE_EXECUTE OPEN\t%WINDIR%\\System32\\API-MS-WIN-CORE-FIBERS-L1-1-1.DLL\tFILE_READ_ATTRIBUTES OPEN\t%WINDIR%\\System32\\API-MS-WIN-CORE-LOCALIZATION-L1-2-1.DLL\tFILE_READ_ATTRIBUTES OPEN\t%WINDIR%\\System32\\cryptsp.dl", "T1218 - System Binary Proxy Execution", "https://sb.scorecardresearch.com/p?c1=2&c2=6745306&ns_type=hidden&ns_st_sv=5.1.3.160420&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1676508021004&ns_st_ec=3&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=1560430&ns_st_cl=0&ns_st_hc=31&ns_st_mp=js_api&ns_st_mv=5.1.3.160420&ns_st_pn=1&ns_st_tp=0&ns_st_ci=47976339133&ns_st_pt=1560430&ns_st_dpt=360423&ns_st_ipt=60010&ns_st_et=1560430&ns_st_det=360423&ns_st_upc=1560430&ns_st_dupc=360423&ns_st_iupc=60010&ns_st_upa=15604", "https://cdn.heapanalytics.com/js/heap-2001511295.js", "https://zopim.com", "https://static.me-talk.ru/cabinet/build/chat/modern.support.js", "WScript.exe PID: 3556, Report UID: 00000000-00003556 MD5: 979d74799ea6c8b8167869a68df5204a SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b API calls Registry Mutants Handles Modules Files AMSI New! Streams (0) Displaying the first 1000 logged API calls. The remaining 2905 entries are available in the full report, but download of the full report is disabled. Filter by 'Name': Show only failed: Showing 1 to 50 of 323 entries (filtered from 1,000 total entries) Name\tLogged Parame", "https://www.virustotal.com/gui/main.900e36f7a852b9863014.js", "https://ejp3z5.com/h5/css/app.61c96454.css", "https://insurancerateusa.com/app-74647f151b541f3098c2.js", "https://www.layerhost.com/assets/js/vendor/what-input.js", "https://blackbook.drivably.com | blackboxpedals.com", "http://droid--apk-ru.webpkgcache.com/", "pornhub.com - contextualizing, malvertizing, tagging, apple password crack", "xfe-IP-134.73.11.118-stix2-2.1-export.json", "https://www.googletagmanager.com/gtag/js?id=UA-36935570-1", "https://embed.tawk.to/_s/v4/app/625d36b405c/languages/en.js", "Filename shopping_iframe_driver.js Size 25KiB (25396 bytes) Type script javascript Description ASCII text, with very long lines, with no line terminators Architecture WINDOWS SHA256 456369ffe3542bb3ab1288484cfb909820a76f35e4d635a8638baf44ac6d3028Copy SHA256 to clipboard MD5 cc536243135fcc90121aa984473c9a0cCopy MD5 to clipboard SHA1 6fd199ce4b5e85ba7b21188f13261c05a5f3e3c0Copy SHA1 to clipboard ssdeep 768:R+y0OL5zD+M6C5ywC5Xpe8JC5HGC5xjQxbxjiUar9E3LvjSrbcT+K:35HnoXpeFHdxjQxFjiUKG3LvjSrbcT+K", "https://www.powr.io/powr.js?platform=html", "P34D56F9D-5684-4C83-8EE1-5EA7DE9CF45D.js", "https://hybrid-analysis.com/sample/78a7e765ffd6dff7af3b92b6234271fd0dddf5945f38e70d0e22324c1ec06eca/64414afe0ebb5831a20ce8f0", "https://mc.yandex.ru/metrika/tag.js", "https://www.googletagmanager.com/gtag/js?id=UA-185991747-1", "https://insurancerateusa.com/94297995-69529ad7536f090aa776.js", "Pool's Closed", "https://www.layerhost.com/assets/js/yui.js", "https://cdn.segment.com/next-integrations/integrations/vendor/commons.54701049fd6fb8497e9e.js.gz", "https://masterhost.ru/s/masterhost_v2/build/js/app.js?v=WivgGVzt/Ynv", "appleid.com, apple.com, icloud.com", "https://www.data-xata.com/js/zopimlaunch.js", "https://site.yandex.net/v2.0/js/all.js", "drvtrd-widget.netlify.app/drivably-widget.js | drvtrd-widget.netlify.app/drivably.js | http://drvtrd-widget.netlify.app/drivably-widget.js", "https://www.layerhost.com/assets/js/vendor/foundation.min.js", "http://bibo113.com/", "Strings: {void 0===i&&(i=Promise);var a=new E(h(e,r,n,o),i);return t.isGeneratorFunction(r)?a:a.next().then((function(e){return e.done?e.value:a.next()}))},x(C),f(C,s,\"Generator\"),f(C,l,(function(){return this})),f(C,\"toString\",(function(){return\"[object Generator]\"})),t.keys=function(e){var t=Object(e),r=[];for(var n in t)r.push(n);return r.reverse(),function e(){for(;r.length;){var n=r.pop();if(n in t)return e.value=n,e.done=!1,e}return e.done=!0,e}},t.values=T,V.prototype={constructor:V,reset:function(e)", "https://www.layerhost.com/assets/js/slider.js", "https://www.data-xata.com/_nuxt/1e8744d.modern.js", "https://sb.scorecardresearch.com/p?ax_uuid=d247c6142f285bb0488533aa7f2d53c5&c1=9&c2=31864766&ns__t=1676508027511&ns_c=UTF-8&cv=3.1&c8=SecurityWeekly%20-%20Twitch&c7=https%3A%2F%2Fwww.twitch.tv%2Fsecurityweekly&c9=", "Crime scene unit vans from different county.", "www.russellmcveagh.com - Law Firm (front?) Document Moved", "https://www.virustotal.com/gui/url/87327571bc18df63df91ba61da25389eb32563074ccd640e2b15b2d38cf5b968/summary", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "https://connect.facebook.net/signals/config/3689470801106673?v=2.9.57&r=stable", "Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\ Key Status STATUS_REPARSE (104) Query\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER\\CWDILLEGALINDLLSEARCH Key CWDILLEGALINDLLSEARCH Status STATUS_OBJECT_NAME_NOT_FOUND (c0000034) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\\ Key Status STATUS_REPARSE (104) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT\\OPTION\\ Key Status STATUS_OBJECT_NAME_NOT_FOUND (c0000034) Open\t Path HKLMHKLM\\SYSTEM\\CONTROLSET001\\CON", "xfe-URL-https___www.gandi.net-stix2-2.1-export.json", "https://imgs.qgddmy.com/static_h5/js/vendor.4071e145e4ea91fa5ab1.js", "v6s.js", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0d2b7c.js", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "nlsSDK600.bundle.min.js", "car hacking | phone hacking | remote access & system control of entire system", "https://www.youtube.com/s/player/534c466c/www-widgetapi.vflset/www-widgetapi.js", "https://www.layerhost.com/assets/js/vendor/jquery.min.js", "https://www.google-analytics.com/analytics.js", "https://storage.googleapis.com/inflect-frontend-assets/adb460de2098568d4c3580de1fde2f6690bcbd04/_next/static/s0TytVz2d0zNgb~bjg~~D/pages/search.js", "https://www.virustotal.com/gui/domain/hyundaitx.com/summary", "Creates a process in suspended mode (likely for process injection", "https://insurancerateusa.com/webpack-runtime-f014a3267add02a94afb.js", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "apstag.js", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "https://www.layerhost.com/assets/js/jquery.filterizr.min.js", "https://cdn.segment.com/next-integrations/integrations/heap/2.1.2/heap.dynamic.js.gz", "xfe-URL-inflect.com-stix2-2.1-export.json", "https://static-cdn.jtvnw.net/jtv_user_pictures/6f4129f6-3750-4c02-b7c8-c88a05064129-profile_image-70x70.png", "https://ejp3z5.com/#/?business_id=66&access_key=3532E209E7051ED50C08BF7D92C3FC44", "xfe-URL-Data-xata.com-stix2-2.1-export.json", "https://www.gandi.net/static/js/modern.27ee934b0dc5.js", "webpack buildin global.js", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "https://admin.verbox.ru/support/support.js?h=afe80d31a1cabd6ae5c00580688f27d2", "command_and_control 195.208.1.128 | 206.46.232.39", "https://ejp3z5.com/h5/js/chunk-vendors.0903293f.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Filterizr api", "Trcomponent", "Eventtarget", "Gc", "Slotbuilder", "Reduceright", "Vd", "Backdoor:msil/noancooe.a", "Requestbuilder", "Bufferwriter", "Bufferreader" ], "industries": [ "E-commerce", "Telecommunications", "Media", "Civil society", "Technology", "Ad fraud" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 37, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c1bd40f81db45dc044697c", "name": "Masterkey Clone By CallmeDoris", "description": "", "modified": "2026-03-23T22:22:56.940000", "created": "2026-03-23T22:22:56.940000", "tags": [ "dropped file", "chromeua", "runtime data", "drmedgeua", "edgeua", "generator", "win64", "null", "template", "unknown", "critical", "addressbar", "desktop", "dark", "light", "iframe", "cookie", "meta", "body", "legend", "dwis", "core", "tear", "malicious", "mozilla", "strings", "qakbot", "://masterkey.com.ua/download/MKClientSetup.exe" ], "references": [ "https://hybrid-analysis.com/sample/41859e0b198fbe88772ef12c577023c0481ec19867e410bab335e67fea87c1bb/642ca80cde2048242a0e097d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642db7b656049e54b2f71c20", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 949, "URL": 5642, "CVE": 2, "domain": 509, "FileHash-SHA256": 293, "FileHash-MD5": 550, "FileHash-SHA1": 60, "email": 5 }, "indicator_count": 8010, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66577ac0e1788e544c312e3f", "name": "Backdoor:MSIL/Noancooe.A | Network sniffing Lime bandit", "description": "Backdoor:MSIL/Noancooe.A: Backdoor arrives on a system as a file dropped by other malware or as a file downloaded giving malicious hackers unauthorized access and control of your PC.", "modified": "2024-06-28T18:00:33.800000", "created": "2024-05-29T18:58:08.465000", "tags": [ "algorithm", "full name", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "date", "code", "first", "server", "privacy notice", "aaaa", "google", "july", "xcitium verdict", "record type", "ttl value", "data", "name verdict", "falcon sandbox", "jpeg image", "jfif standard", "ascii text", "pattern match", "mitre att", "ck id", "show technique", "ck matrix", "united", "et tor", "path", "mask", "hybrid", "generator", "local", "click", "strings", "union", "#metoo", "russell mcveagh", "grope", "moved", "civicaig", "now hiring", "apple", "unknown", "a domains", "passive dns", "urls", "creation date", "status", "search", "expiration date", "hong kong", "as133775 xiamen", "germany unknown", "scan endpoints", "all scoreblue", "body", "next", "hacking", "critical", "jailbreak", "m", "tech", "hit", "men", "sreredrum", "lime", "as24940 hetzner", "cname", "germany", "as16276", "domain", "spain unknown", "as31898 oracle", "as396982 google", "as5617 orange", "poland unknown", "as8881", "as19905", "msil", "kiwis", "sabey data centers", "nemtih", "attack tsara brashears", "t phone", "t mail", "t", "lakewood", "arvada", "jeff reimer dpt", "jeffrey scott", "lakeside", "grey st", "capture", "aquire", "aig", "sammie", "smith", "johnson", "xfinity", "whisper", "sky", "cybercrime", "true", "cyprus", "attack path", "pattern match" ], "references": [ "www.russellmcveagh.com - Law Firm (front?) Document Moved", "Russell McVeagh - New Zealand's leading commercial law firm, known as the go-to team for tackling complex legal problems.", "www.auth.civicalg.com.sni.cloudflaressl.com | civicalg.com", "It's all the same | AIG, Michael Roberts Rexxfield 'bounty hunter' Brian Sabey HallRender (?)", "This area is swarming with PI's (his , hers and theirs)", "Hired hackers to jailbreak and locate devices. Brute forces, business and personal devices, network attacked.", "Crime scene unit vans from different county.", "Front Range security guard w/unsolicited account of on premise hacker causeing outage. Why would he be 'in the know, or giving information?", "sonar.lg-nonprod.civicalg.com (dangerous) peneservice71.auth.civicalg.com, install.civicalg.com", "#MeToo - A former Russell McVeagh partner found guilty of \"disgraceful\" sexual misconduct at the heart of New Zealand's #MeToo movement.", "http://droid--apk-ru.webpkgcache.com/", "http://e.name/?C.push.apply | https://application.t.email/backscreen", "appleread.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Backdoor:MSIL/Noancooe.A", "display_name": "Backdoor:MSIL/Noancooe.A", "target": "/malware/Backdoor:MSIL/Noancooe.A" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Civil Society", "Telecommunications", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 695, "URL": 1111, "FileHash-MD5": 7, "FileHash-SHA1": 17, "FileHash-SHA256": 230, "domain": 643, "email": 9, "SSLCertFingerprint": 6 }, "indicator_count": 2718, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "659 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6590412931fa8523e305795e", "name": "System Owner/User Discovery | Automobile CnC | HyunDAITX.COM", "description": "", "modified": "2024-01-29T15:00:34.177000", "created": "2023-12-30T16:11:21.071000", "tags": [ "remote cnc", "no expiration", "filehashsha256", "domain", "filehashsha1", "filehashmd5", "expiration", "iocs", "hostname", "ipv4", "scan endpoints", "next", "url http", "url https", "apple", "appleid", "icloud", "tsara brashears", "all octoseek", "create new", "pulse use", "pdf report", "debugger evasion", "evasive", "who's driving", "yaaa", "xobo", "writes data to a remote process", "widget", "win64", "waaa", "vt report", "ttl value", "uaaa", "united", "unknown", "urls url", "stealthyness", "critical", "accept", "address", "admin country", "baaa", "anti-detection", "as11042", "network ascii text", "network", "back", "black", "body length", "attack", "boolean", "silly", "bundled", "caaa", "caca", "caca4baaa", "cacf", "caea", "click", "close", "cobalt strike", "checkbox", "ck id", "ck matrix", "contacted", "copy", "creation date", "code", "comcast tmobile", "communicating", "contact", "historical ssl", "csc corporate", "date", "desktop", "dns replication", "domain related", "domains dropped", "elf wgetboat", "error", "execution", "factory", "false", "files", "final", "url", "first", "general", "getprocaddress", "green", "group", "headers", "hr rtd", "http response", "hybrid", "iana id", "id", "apple id", "import", "infor", "installation", "january", "kb body", "loader", "localappdata", "love", "major", "malicious", "metro", "mitre att", "model", "netlify", "netlify edge", "next", "trim", "null", "threat roundup", "tech email", "subdomains", "status code", "ssl certificate", "show technique span", "sha256", "serving ip", "open", "server", "override", "path", "pattern match", "payment", "pe resource", "persistence", "phonenumber", "record type", "referrer", "registrar abuse", "rust", "search" ], "references": [ "HyunDAITX.COM | Remote CnC of vehicle systems, connected devices. Critical", "https://www.virustotal.com/gui/domain/hyundaitx.com/summary", "https://hybrid-analysis.com/sample/235ae35db42acacf6bb9dbab1ca6392f67a60680275ec03f86866b7867db651f/65901471e396520cb3032621", "command_and_control 195.208.1.128 | 206.46.232.39", "drvtrd-widget.netlify.app/drivably-widget.js | drvtrd-widget.netlify.app/drivably.js | http://drvtrd-widget.netlify.app/drivably-widget.js", "https://www.virustotal.com/gui/url/87327571bc18df63df91ba61da25389eb32563074ccd640e2b15b2d38cf5b968/summary", "https://hybrid-analysis.com/sample/235ae35db42acacf6bb9dbab1ca6392f67a60680275ec03f86866b7867db651f/65901471e396520cb3032621", "appleid.com, apple.com, icloud.com", "https://blackbook.drivably.com | blackboxpedals.com", "car hacking | phone hacking | remote access & system control of entire system", "http://watchhers.net/index.php - remote attacks", "https://www.virustotal.com/gui/url/105e81bb8b366deb8e6b8849a7c61ebcff181fbc2e48347f5476d9e42b361b37/community", "pornhub.com - contextualizing, malvertizing, tagging, apple password crack", "https://www.virustotal.com/gui/url/105e81bb8b366deb8e6b8849a7c61ebcff181fbc2e48347f5476d9e42b361b37/community", "simple investigation shows Brashears historical family vehicles listed.", "elonmuskisafailure.com - tracker (yt3.ggpht.com tracker)", "www.youtube.com/watch?v=GyuMozsVyYs -tracking Tsara Brashears' SongCulture Youtube", "T1622 - Debugger Evasion", "T1218 - System Binary Proxy Execution", "Creates a process in suspended mode (likely for process injection" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1408", "name": "Disguise Root/Jailbreak Indicators", "display_name": "T1408 - Disguise Root/Jailbreak Indicators" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 177, "FileHash-SHA256": 1078, "URL": 318, "domain": 511, "email": 4, "hostname": 520 }, "indicator_count": 2792, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "864 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "o.map", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "o.map", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776616071.158764 }