{ "type": "Domain", "indicator": "perryop.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/perryop.com", "alexa": "http://www.alexa.com/siteinfo/perryop.com", "indicator": "perryop.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3836492779, "indicator": "perryop.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "684403ce9b1bb2b126d9f06c", "name": "search.safefinder.com", "description": "https://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T09:18:06.098000", "tags": [ "united", "facebook", "anycast", "idc hosting", "akamaias", "yun road", "google", "intranet", "chinahongkong", "softlayer", "first", "main", "code window", "thisdocument", "insert menu", "visio", "vba project", "class modules", "your project", "visual basic", "editor", "add procedure", "loop", "click", "microsoft azure", "tls issuing", "please", "javascript", "ssdeep", "win32", "susp", "mtb apr", "as13335", "unknown", "showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "mtb nov", "heur", "b apr" ], "references": [ "https://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "http://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 757, "FileHash-SHA256": 572, "domain": 363, "URL": 1952, "FileHash-MD5": 81, "FileHash-SHA1": 84, "CVE": 1 }, "indicator_count": 3810, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6615d6998eba463f36adf923", "name": "hxxps://viz[.]greynoise[.]io/analysis/22fe6389-fe4a-49dc-b343-b6a2feb32864 - 04.04.24 by jwanihad (enriched)", "description": "", "modified": "2025-06-23T17:53:11.641000", "created": "2024-04-10T00:00:25.617000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2361, "domain": 632, "FileHash-SHA256": 644, "hostname": 918 }, "indicator_count": 4555, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c235b05007103d3e3e7038", "name": "HCA - Win32:RansomX-gen affecting HCA (HealthOneCares) + Miscellaneous Attacks", "description": "HCA (Health One Cares) affected by a RansomX and various serious attacks. It's linked back to a neurosurgeon who is likely not responsible for attack of course. It has been the same,e group of attackers using Samuel Tulach engineered malware. I'm unsure if there is collusion between Brian Sabey (consistent attacker) and Samuel Tulach. I just know it relates back to the same threat actors that have been hacking healthcare facilities, government offices, telecommunications, technology at health centers abusing webcams and patients records modification, and distribution. PHI PII issues.", "modified": "2024-09-17T17:01:24.349000", "created": "2024-08-18T17:56:00.485000", "tags": [ "blacklist http", "safe site", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "alexa top", "united", "million", "mail spammer", "malicious site", "phishing site", "team phishing", "tofsee", "malware", "bank", "unsafe", "azorult", "cobalt strike", "service", "runescape", "facebook", "download", "zbot", "installcore", "nymaim", "suppobox", "malicious", "cl0p", "inmortal", "domains", "referrer", "historical ssl", "apple stuff", "combined", "hr rtd", "network", "collection", "vt graph", "round", "metro", "execution", "emotet", "startpage", "maltiverse top", "paypal", "blacklist", "passive dns", "related nids", "urls", "flag united", "accept", "acceptencoding", "hit age", "ip asn", "malware site", "adware", "fakealert", "opencandy", "exploit", "raccoon", "metastealer", "redline stealer", "anonymizer", "heur", "outlook", "phishing airbnb", "engineering", "phishing", "filerepmalware", "maltiverse", "div div", "c span", "div section", "span div", "search", "showing", "unknown", "as397240", "moved", "date", "body", "as54113", "github pages", "a domains", "entries", "mtb jul", "class", "sea x", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "show", "date hash", "next", "worm", "dynamicloader", "yara rule", "high", "windows", "grum", "medium", "installs", "windows startup", "application", "stream", "as22612", "ipv4", "pulse pulses", "files", "switch dns", "query", "data", "noname057", "password", "cybercrime", "malicious url", "kuaizip", "team", "downloader", "generic", "crack", "presenoker", "dapato", "riskware", "genkryptik", "fuery", "agent", "wacatac", "union", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "trojan", "copy", "dock", "write", "win32", "file execution", "explorer", "alerts", "checks", "bios", "system restore", "anne", "training", "strings http", "basic telephone", "xsl stylesheets", "apache fop", "createdate", "modifydate", "producer apache", "format", "core", "nxscspu", "zsextbzusbrvsk", "pxnzj", "jwxkrhdlrivprs", "default", "qxrfnjuodik", "mncau", "csqvrkwsqka", "testpath path", "else", "null", "suspicious", "win64", "hotkey", "ransom", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "push" ], "references": [ "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.", "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render", "Adversary: https://github.com/SamuelTulach/VirusTotalUploader", "https://work.a-poster.info", "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928", "Emotet: FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f", "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f", "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32", "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg. http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Antivirus Detections Other:Malware-gen\\ [Trj] , ALF:TrojanDownloader:PowerShell/Ploprolo.DB Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell", "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)", "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent", "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http", "Antivirus Detections: Win.Malware.Moonlight-9919383-0 , Worm:Win32/Lightmoon.H", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files", "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null }, { "id": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn", "display_name": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "display_name": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Civilian Society", "Technology", "Healthcare", "Telecommunications", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 891, "FileHash-MD5": 2368, "FileHash-SHA1": 1873, "FileHash-SHA256": 5092, "domain": 648, "hostname": 557, "CVE": 8, "email": 2 }, "indicator_count": 11439, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "621 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c3bd803f15cd94aab6e287", "name": "Lumma Stealer | Colorado Medical Center HCA", "description": "Needs further investigation. Miscellaneous attack affecting Denver physicians directory. Visitors accessing the page using insecure devices may be affected. PII & PHI breached. Monitoring.", "modified": "2024-03-08T17:04:03.644000", "created": "2024-02-07T17:27:28.349000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "execution", "resolutions", "problems", "siblings domain", "whois whois", "startpage", "httponly", "samesitenone", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "language", "html document", "unicode text", "utf8 text", "doctype", "anchor hrefs", "hrefs", "denver", "tsara brashears", "apple ios", "password bypass", "apple phone", "unlocker", "shell code", "script", "contacted urls", "hacktool", "malicious", "download", "malware", "relic", "monitoring", "domains", "eurodns sa", "markmonitor", "ip detections", "country", "graph", "https", "mitre att", "ta0007 network", "t1046 sends", "ssdp", "command", "control ta0011", "protocol t1071", "performs dns", "layer protocol", "number", "cus cndigicert", "ja3s", "subject", "sha2 secure", "server ca", "odigicert inc", "cus cnmicrosoft", "algorithm", "memory pattern", "file system", "registry", "registry keys", "process", "created", "processes tree", "february", "healthone", "gmbh version", "status page", "service privacy", "legal", "impressum", "url https", "reverse dns", "general full", "security tls", "protocol h2", "software", "frankfurt", "main", "germany", "resource hash", "de indicators", "hashes", "value", "scriptsrcelem", "variables", "boomrmq string", "boomrapikey", "boomr function", "system", "babelpolyfill", "assign function", "windows nt", "win64", "khtml", "gecko", "aes256gcm", "level", "akamaiasn1", "europeberlin", "generic malware", "tag count", "tue dec", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "root ca", "pattern match", "authority", "span", "presbyterianst", "luke", "medical center", "class", "accept", "date", "refresh", "blood", "liver cancer", "breast cancer", "lung cancer", "kidney cancer", "skin cancer", "sarcoma", "prostate cancer", "body", "facebook", "twitter", "hybrid", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "cookie", "command and control", "mitre", "scanning host", "exploit source", "trojan", "callback function", "targets", "targeting", "samesite=none", "kde", "konqueror", "phi", "pii", "wTJh.exe", "malware ransom trojan evader rat", "network", "rat trojan", "relacionada", "critical risk", "cyberstalking", "elf collection", "matches rule", "emotet", "lockbit", "critical", "copy", "installer", "dark power", "wiper", "ransomware", "cobalt strike", "ursnif", "core", "as55688 pt", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "asn as55688", "threat", "paste", "iocs", "analyze", "hostnames", "united", "aaaa", "unknown", "a domains", "search", "creation date", "record value", "next", "pornhub", "anyxxxtube", "domain", "gandi sas", "hostname", "basic", "pe32", "intel", "ms windows", "generic windos", "executable", "dos executable", "generic", "pe32 packer", "petite", "vs98", "info compiler", "products", "header intel", "name md5", "type", "rticon neutral", "overlay", "dos exe", "threat roundup", "pe resource", "june", "lumma stealer", "ransomexx", "azorult", "njrat", "open", "problem", "plugx", "android", "sex_phot.jpg.exe", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "lcc linker", "empty hash", "tulach", "sabey", "rat", "remote", "remote access trojan" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "www2.megawebfind.com [command and control]", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]", "20.99.186.246 [exploit source]", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "Win32:RATX-gen [Trj] identified.", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "CS Sigma Rules: Disable UAC Using Registry by frack113", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Remote Access Trojan" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Win32:RATX-gen [Trj]", "display_name": "Win32:RATX-gen [Trj]", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "W32/Hupigon.NCU", "display_name": "W32/Hupigon.NCU", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 883, "URL": 1412, "FileHash-MD5": 283, "FileHash-SHA1": 231, "FileHash-SHA256": 2909, "domain": 824, "email": 3, "CVE": 3 }, "indicator_count": 6548, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "Adversary: https://github.com/SamuelTulach/VirusTotalUploader", "20.99.186.246 [exploit source]", "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss", "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files", "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg. http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://work.a-poster.info", "Antivirus Detections Other:Malware-gen\\ [Trj] , ALF:TrojanDownloader:PowerShell/Ploprolo.DB Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell", "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render", "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "Win32:RATX-gen [Trj] identified.", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "Emotet: FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f", "http://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "https://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32", "CS Sigma Rules: Disable UAC Using Registry by frack113", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "www2.megawebfind.com [command and control]", "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "Remote Access Trojan", "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928", "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.", "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg", "Antivirus Detections: Win.Malware.Moonlight-9919383-0 , Worm:Win32/Lightmoon.H", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Domains", "Ursnif", "Alf:heraklezeval:worm:win32/mimail!rfn", "Alf:trojan:win32/cassini_f28c33a2", "Win32:ratx-gen [trj]", "W32/hupigon.ncu", "Win32:ransomx-gen\\ [ransom]", "Tulach", "Lockbit", "Lumma stealer", "Hacktool", "Azorult", "Cobalt strike", "Alf:trojandownloader:powershell/ploprolo.db", "Cl0p", "Wiper", "Trojan:win32/emotet.yl", "Inmortal", "Worm:win32/lightmoon.h", "Tulach malware", "Ransomware", "Relic", "Dark power", "Virut" ], "industries": [ "Civilian society", "Healthcare", "Education", "Civil society", "Media", "Telecommunications", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "684403ce9b1bb2b126d9f06c", "name": "search.safefinder.com", "description": "https://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T09:18:06.098000", "tags": [ "united", "facebook", "anycast", "idc hosting", "akamaias", "yun road", "google", "intranet", "chinahongkong", "softlayer", "first", "main", "code window", "thisdocument", "insert menu", "visio", "vba project", "class modules", "your project", "visual basic", "editor", "add procedure", "loop", "click", "microsoft azure", "tls issuing", "please", "javascript", "ssdeep", "win32", "susp", "mtb apr", "as13335", "unknown", "showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "mtb nov", "heur", "b apr" ], "references": [ "https://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf", "http://search.safefinder.com/csp.aspx?barcode=defaultsf|portal_sf_admarket_tiles_sf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 757, "FileHash-SHA256": 572, "domain": 363, "URL": 1952, "FileHash-MD5": 81, "FileHash-SHA1": 84, "CVE": 1 }, "indicator_count": 3810, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6615d6998eba463f36adf923", "name": "hxxps://viz[.]greynoise[.]io/analysis/22fe6389-fe4a-49dc-b343-b6a2feb32864 - 04.04.24 by jwanihad (enriched)", "description": "", "modified": "2025-06-23T17:53:11.641000", "created": "2024-04-10T00:00:25.617000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2361, "domain": 632, "FileHash-SHA256": 644, "hostname": 918 }, "indicator_count": 4555, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c235b05007103d3e3e7038", "name": "HCA - Win32:RansomX-gen affecting HCA (HealthOneCares) + Miscellaneous Attacks", "description": "HCA (Health One Cares) affected by a RansomX and various serious attacks. It's linked back to a neurosurgeon who is likely not responsible for attack of course. It has been the same,e group of attackers using Samuel Tulach engineered malware. I'm unsure if there is collusion between Brian Sabey (consistent attacker) and Samuel Tulach. I just know it relates back to the same threat actors that have been hacking healthcare facilities, government offices, telecommunications, technology at health centers abusing webcams and patients records modification, and distribution. PHI PII issues.", "modified": "2024-09-17T17:01:24.349000", "created": "2024-08-18T17:56:00.485000", "tags": [ "blacklist http", "safe site", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "cisco umbrella", "site", "alexa top", "united", "million", "mail spammer", "malicious site", "phishing site", "team phishing", "tofsee", "malware", "bank", "unsafe", "azorult", "cobalt strike", "service", "runescape", "facebook", "download", "zbot", "installcore", "nymaim", "suppobox", "malicious", "cl0p", "inmortal", "domains", "referrer", "historical ssl", "apple stuff", "combined", "hr rtd", "network", "collection", "vt graph", "round", "metro", "execution", "emotet", "startpage", "maltiverse top", "paypal", "blacklist", "passive dns", "related nids", "urls", "flag united", "accept", "acceptencoding", "hit age", "ip asn", "malware site", "adware", "fakealert", "opencandy", "exploit", "raccoon", "metastealer", "redline stealer", "anonymizer", "heur", "outlook", "phishing airbnb", "engineering", "phishing", "filerepmalware", "maltiverse", "div div", "c span", "div section", "span div", "search", "showing", "unknown", "as397240", "moved", "date", "body", "as54113", "github pages", "a domains", "entries", "mtb jul", "class", "sea x", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "show", "date hash", "next", "worm", "dynamicloader", "yara rule", "high", "windows", "grum", "medium", "installs", "windows startup", "application", "stream", "as22612", "ipv4", "pulse pulses", "files", "switch dns", "query", "data", "noname057", "password", "cybercrime", "malicious url", "kuaizip", "team", "downloader", "generic", "crack", "presenoker", "dapato", "riskware", "genkryptik", "fuery", "agent", "wacatac", "union", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "trojan", "copy", "dock", "write", "win32", "file execution", "explorer", "alerts", "checks", "bios", "system restore", "anne", "training", "strings http", "basic telephone", "xsl stylesheets", "apache fop", "createdate", "modifydate", "producer apache", "format", "core", "nxscspu", "zsextbzusbrvsk", "pxnzj", "jwxkrhdlrivprs", "default", "qxrfnjuodik", "mncau", "csqvrkwsqka", "testpath path", "else", "null", "suspicious", "win64", "hotkey", "ransom", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "push" ], "references": [ "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.", "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render", "Adversary: https://github.com/SamuelTulach/VirusTotalUploader", "https://work.a-poster.info", "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928", "Emotet: FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f", "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f", "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec", "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32", "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg. http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "Antivirus Detections Other:Malware-gen\\ [Trj] , ALF:TrojanDownloader:PowerShell/Ploprolo.DB Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell", "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)", "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent", "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http", "Antivirus Detections: Win.Malware.Moonlight-9919383-0 , Worm:Win32/Lightmoon.H", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX", "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files", "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Inmortal", "display_name": "Inmortal", "target": null }, { "id": "Domains", "display_name": "Domains", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null }, { "id": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn", "display_name": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "Trojan:Win32/Emotet.YL", "display_name": "Trojan:Win32/Emotet.YL", "target": "/malware/Trojan:Win32/Emotet.YL" }, { "id": "Win32:RansomX-gen\\ [Ransom]", "display_name": "Win32:RansomX-gen\\ [Ransom]", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "display_name": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Civilian Society", "Technology", "Healthcare", "Telecommunications", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 891, "FileHash-MD5": 2368, "FileHash-SHA1": 1873, "FileHash-SHA256": 5092, "domain": 648, "hostname": 557, "CVE": 8, "email": 2 }, "indicator_count": 11439, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "621 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c3bd803f15cd94aab6e287", "name": "Lumma Stealer | Colorado Medical Center HCA", "description": "Needs further investigation. Miscellaneous attack affecting Denver physicians directory. Visitors accessing the page using insecure devices may be affected. PII & PHI breached. Monitoring.", "modified": "2024-03-08T17:04:03.644000", "created": "2024-02-07T17:27:28.349000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "referrer", "execution", "resolutions", "problems", "siblings domain", "whois whois", "startpage", "httponly", "samesitenone", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "language", "html document", "unicode text", "utf8 text", "doctype", "anchor hrefs", "hrefs", "denver", "tsara brashears", "apple ios", "password bypass", "apple phone", "unlocker", "shell code", "script", "contacted urls", "hacktool", "malicious", "download", "malware", "relic", "monitoring", "domains", "eurodns sa", "markmonitor", "ip detections", "country", "graph", "https", "mitre att", "ta0007 network", "t1046 sends", "ssdp", "command", "control ta0011", "protocol t1071", "performs dns", "layer protocol", "number", "cus cndigicert", "ja3s", "subject", "sha2 secure", "server ca", "odigicert inc", "cus cnmicrosoft", "algorithm", "memory pattern", "file system", "registry", "registry keys", "process", "created", "processes tree", "february", "healthone", "gmbh version", "status page", "service privacy", "legal", "impressum", "url https", "reverse dns", "general full", "security tls", "protocol h2", "software", "frankfurt", "main", "germany", "resource hash", "de indicators", "hashes", "value", "scriptsrcelem", "variables", "boomrmq string", "boomrapikey", "boomr function", "system", "babelpolyfill", "assign function", "windows nt", "win64", "khtml", "gecko", "aes256gcm", "level", "akamaiasn1", "europeberlin", "generic malware", "tag count", "tue dec", "threat report", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "root ca", "pattern match", "authority", "span", "presbyterianst", "luke", "medical center", "class", "accept", "date", "refresh", "blood", "liver cancer", "breast cancer", "lung cancer", "kidney cancer", "skin cancer", "sarcoma", "prostate cancer", "body", "facebook", "twitter", "hybrid", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "cookie", "command and control", "mitre", "scanning host", "exploit source", "trojan", "callback function", "targets", "targeting", "samesite=none", "kde", "konqueror", "phi", "pii", "wTJh.exe", "malware ransom trojan evader rat", "network", "rat trojan", "relacionada", "critical risk", "cyberstalking", "elf collection", "matches rule", "emotet", "lockbit", "critical", "copy", "installer", "dark power", "wiper", "ransomware", "cobalt strike", "ursnif", "core", "as55688 pt", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "asn as55688", "threat", "paste", "iocs", "analyze", "hostnames", "united", "aaaa", "unknown", "a domains", "search", "creation date", "record value", "next", "pornhub", "anyxxxtube", "domain", "gandi sas", "hostname", "basic", "pe32", "intel", "ms windows", "generic windos", "executable", "dos executable", "generic", "pe32 packer", "petite", "vs98", "info compiler", "products", "header intel", "name md5", "type", "rticon neutral", "overlay", "dos exe", "threat roundup", "pe resource", "june", "lumma stealer", "ransomexx", "azorult", "njrat", "open", "problem", "plugx", "android", "sex_phot.jpg.exe", "win32 dynamic", "link library", "win16 ne", "delphi generic", "icons library", "pe32 linker", "lcc linker", "empty hash", "tulach", "sabey", "rat", "remote", "remote access trojan" ], "references": [ "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians", "https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea", "www2.megawebfind.com [command and control]", "http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing]", "20.99.186.246 [exploit source]", "https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic]", "Win32:RATX-gen [Trj] identified.", "CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "CS Sigma Rules: Disable UAC Using Registry by frack113", "http://45.159.189.105/bot/regex [ tracking | botnet]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems]", "0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Remote Access Trojan" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America" ], "malware_families": [ { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Win32:RATX-gen [Trj]", "display_name": "Win32:RATX-gen [Trj]", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "W32/Hupigon.NCU", "display_name": "W32/Hupigon.NCU", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Healthcare", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 883, "URL": 1412, "FileHash-MD5": 283, "FileHash-SHA1": 231, "FileHash-SHA256": 2909, "domain": 824, "email": 3, "CVE": 3 }, "indicator_count": 6548, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "perryop.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "perryop.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780316903.3291788 }