{ "type": "Domain", "indicator": "proble.co", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/proble.co", "alexa": "http://www.alexa.com/siteinfo/proble.co", "indicator": "proble.co", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3809832273, "indicator": "proble.co", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "http://www.screensaver.com/ruxitbeacon", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "Alerts: packer_unknown", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "20.190.160.73 Microsoft [exploit_source]", "https://gr.pinterest.com/emreimer/", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://www.sos.state.co/ [interesting]", "ddos.dnsnb8.net [command_and_control]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "http://www.pinterest.com/ideas/songwriting/945635263947/", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "https://gujarati.ent24x7.comb [RAT]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "162.159.208.8", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "http://alohatube.xyz/search/tsara-brashears/", "https://www.apple.com/qtactivex/qtplugin.cab", "http://neurosky.jp", "www.anyxxxtube.net [tracking]", "https://tulach.cc/ [phishing attacks]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "104.86.182.8 [command_and_control]", "https://tulach.cc/socrative/internal.js", "https://www.sweetheartvideo.com/tsara-brashears", "webdisk.thehomemakers.nl", "http://45.159.189.105/bot/regex", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "checkip.dyndns.org [command_and_control]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "3.163.189.120 [Tracking]", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "https://www.sweetheartvideo.com/tsara-brashears/", "https://www.reddit.com/user/", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://consolefoundry.date/one/gate.php", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "20.190.160.2 Microsoft [exploit_source]", "http://freedns.afraid.org/images/apple.gif", "Crowdsourced YARA Rulesets", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "103.224.182.246 [command_and_control]", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "https://alohatube.xyz/search/tsara-brashears", "Malicious IP Contacted: 69.42.215.252", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "https://www.mumuplayer.com/redirect/customerservice/_wig", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "rp.downloadastrocdn.com [command_and_control]", "www.supernetforme.com [command_and_control]", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "www.pornhub.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "watson.events.data.microsoft.com [traffic manager]", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://alohatube.xyz/search/tsara-brashears", "https://www.jbits.courts.state.co [interesting]", "watson.telemetry.microsoft.us [Data traffic manager]", "Gowi Live Bot.exe", "20.190.160.67 Microsoft [exploit_source]", "103.224.182.253 [command_and_control]", "http://dns1.whitelist.camect.com [interesting]", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "https://www.pornhub.com/video/search?search=tsara+brashears", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "86.140.232.148 [scanning_host]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Other malware", "Win.dropper.nanocore-10021490-0", "Adware.pcappstore/veryfast", "Static ai - malicious pe", "Cobalt strike", "Tulach malware", "Apple", "Win.trojan.blacknetrat-7838854-0", "Worm:win32/autorun!atmn", "Am", "Tulach", "Win.packed.remcos-10024510-0", "Code overlap", "Honeypot", "Malware", "Trojan:vbs/metasploitvbscmdstager", "Psw:win32/vb.cu", "Win.trojan.emotet-9850453", "Hacktool", "Agent tesla", "Nsis" ], "industries": [ "Media", "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c68bc8b8745068608cc50d", "name": "Metasploit | Ransomware | PinterestPots - Pin.it", "description": "", "modified": "2024-03-10T20:03:45.513000", "created": "2024-02-09T20:32:08.358000", "tags": [ "whois record", "contacted", "tsara brashears", "ssl certificate", "apple ios", "unlocker", "historical ssl", "referrer", "highly targeted", "critical risk", "hacktool", "malicious", "cobalt strike", "metasploit", "installer", "malware", "awful", "android", "banker", "keylogger", "jeffrey reimer", "emreimer", "emily reimer goldstien", "eva lisa", "eva lisa reimer", "status code", "http response", "ieedge date", "maxage86400", "path", "httponly xcdn", "connection", "vary useragent", "targeting brashears", "communicating", "whois whois", "collections", "password", "adult content", "core", "metro", "apple", "copy", "suspicious", "vj99", "threat", "slfrd1", "paste", "iocs", "analyze", "hostnames", "urls http", "jid1221717543", "slc1", "a domains", "united", "search", "date", "as15169 google", "passive dns", "urls", "record value", "name servers", "status", "encrypt", "win32", "next", "msie", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "url analysis", "body", "domain", "unknown", "china unknown", "pulse pulses", "files", "ip address", "servers", "domain name", "showing", "as54113", "as16625 akamai", "as20940", "aaaa", "cname", "as396982 google", "as14061", "script domains", "hostname", "japan unknown", "gmt content", "gmt etag", "pragma", "accept", "location japan", "asn as131965", "less", "pulses", "related tags", "meta", "asn as13335", "443 ma2592000", "certificate", "germany unknown", "script urls", "link", "code", "moved", "russia unknown", "as51659 llc", "as12616 filanc", "welcome", "uhttps", "urls https", "ccb455304", "ccb455307", "vj93", "uyebaauqaaaaaac", "malvertizing", "tagging", "prefetch8", "script", "prefetch1", "command decode", "segoe ui", "suricata ipv4", "emoji", "mitre att", "suricata udpv4", "roboto", "courier", "february", "hybrid", "general", "model", "comspec", "click", "strings" ], "references": [ "https://gr.pinterest.com/emreimer/", "Wife of Brashears SAter \u2022 Alias \u2022 Couple plays victim \u2022 Karens. HIPPA violations. Admittedly involved cyberstalking on Brashears. Legally agreed to stop.", "message.htm.com \u2022 CVE-2023-4966 \u2022 ransomed.vc", "http://neurosky.jp", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://45.159.189.105/bot/regex", "http://alohatube.xyz/search/tsara-brashears", "facebooksunglassshop.com [titled' Tsara Brashears GCcmwm.T ?]", "alohatube.xyz [keylogger aimed at Tsara Brashears]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.pornhub.com/video/search?search=tsara+brashears", "http://alohatube.xyz/search/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashears", "https://alohatube.xyz/search/tsara-brashears+(Formerly+Botnetwork+malvertizing+campaign+targeting+Tsara+Brashears+crime+victim.+Now+", "https://www.sweetheartvideo.com/tsara-brashears/", "manvimishraa5417@gmail.com [Video of Tsara Brashears circulation]", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language:", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashears", "https://www.hybrid-analysis.com/sample/92b00ee3aca1f3057ad8402229c27bfdd6fc934908ef641b36379bf47093df0b/65c63a1fbc9c5333d20354ca", "https://www.hybrid-analysis.com/file-inline/65c63a1fbc9c5333d20354ca/screenshot/screen_6.png", "https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing \u2022 mitre S0154]", "CnC IP's: 104.124.58.137 \u2022 45.159.189.105 | Exploit source: 1.179.151.145 | scanning host: 208.115.103.34", "http://www.proxydocker.com/ja/proxy/43.229.135.125:8080", "https://twitter.com/PORNO_SEXYBABES | cloud.zemana.com - porn cloud", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "www.pornhub.com", "http://www.pinterest.com/ideas/songwriting/945635263947/", "https://www.neurosky.jp/wp-content/plugins/responsive-lightbox/assets/fancybox/jquery.fancybox.min.js?ver=2.1.0", "webdisk.thehomemakers.nl", "http://connectivitycheck.gstatic.com/generate_204 [RAT]", "http://discover.hubpages.com/literature/Most-Beautiful-Quotes-on-Love-and-Heartbreak [RAT| Tagging target in adult content fraud sites]", "https://gujarati.ent24x7.comb [RAT]", "http://clipper.guru/bot/online?guid=PC\\Administrator&key=ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb", "https://tulach.cc/socrative/internal.js", "http://email.birdeye.org/c/eJxkUcFuozAU_JrHsTLPYODAIYQmSqXNqmm3q-4FGfNIrAUbGTtV-_UrklRatT5ZnvGbeTNVmLWhed6HsSVXxiLNsyLniUhFyoqolp6eyPgSE4Ysjw407boSMerKWKV90kdUxhnLuMiyhEenUiZ9LjAuij6PMWdMSpnFJPKkLVQrUhHpEtl1GEuSgvG7DIss6XsZCy7jooghYa12Hb3TnXXHaChP3k8z8BXgBnDziSk7Am4mp5U2xwXim-DHZrbBKQJeT852QfmGRqkHQLGAI3U6jMDr_x-VNZ6MB15vf1SAotUd8PpLEJ9cOU5SHw3w2ppBG2omRzMZRc1CaY0cF-21NTO5s_TaGsDqidxZK5oBq62zYQKsdkYBimmQipqL3vq0e9i3-VoOf-J09_dgq-m-enupQnUEFNp0YfbuHXgNKD70dL04Omt6a5QNF_-H-5fd_e9m_fPX_hlQyPOxuTGc9EtKvF69bJvD6", "https://gujarati.ent24x7.com | https://otx.alienvault.com/indicator/url/https://gujarati.ent24x7.com", "162.159.208.8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan" ], "malware_families": [ { "id": "Trojan:VBS/MetasploitVBSCmdStager", "display_name": "Trojan:VBS/MetasploitVBSCmdStager", "target": "/malware/Trojan:VBS/MetasploitVBSCmdStager" }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3412, "FileHash-MD5": 194, "FileHash-SHA1": 159, "FileHash-SHA256": 2223, "domain": 2117, "hostname": 1763, "CVE": 2, "email": 5 }, "indicator_count": 9875, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658481716d9034bb0d52212d", "name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network", "description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.", "modified": "2024-01-20T14:03:29.247000", "created": "2023-12-21T18:18:25.746000", "tags": [ "bitrep", "learn", "apple card", "apple", "apple store", "apple tv", "watch vision", "airpods tv", "apple watch", "buy apple", "apple trade", "footer", "media", "find", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious site", "hostname", "hostnames", "detection list", "blacklist", "malware", "alexa", "ip address", "whois record", "ssl certificate", "iocs", "whois whois", "historical ssl", "communicating", "threat network", "ioc search", "new ioc", "teams api", "contact", "attack", "probe", "search", "threat", "paste", "contacted", "april", "threat roundup", "pe resource", "lcid1033", "smlen", "spn647", "bv6fet56ww", "february", "core", "name verdict", "falcon sandbox", "threat analyzer", "samples", "generic malware", "tag count", "malware generic", "tue dec", "threat report", "summary", "first", "http response", "final url", "status code", "body length", "kb body", "sha256", "self", "server apple", "connection", "html info", "title apple", "meta tags", "indextab og", "apple og", "spyware", "plugins", "cab", "fraud urls", "data collection", "staged data", "privilege escalation", "defense evasion", "evasive", "stealthy", "serial number", "symantec time", "stamping", "algorithm", "thumbprint", "from", "symantec sha256", "sha256 code", "signing ca", "class", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "win32 dll", "magic pe32", "intel", "ms windows", "compiler", "vs2008", "rticon english", "vs2005", "chi2", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "floxif", "serving ip", "address", "headers nel", "dynamic expires", "gmt server", "file sharing", "personal data" ], "references": [ "https://www.apple.com/qtactivex/qtplugin.cab", "https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad", "https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]", "http://www.screensaver.com/ruxitbeacon", "https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]", "http://dns1.whitelist.camect.com [interesting]", "https://www.jbits.courts.state.co [interesting]", "http://www.sos.state.co/ [interesting]", "https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary", "https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary", "Crowdsourced YARA Rulesets", "Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems", "Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security", "Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth", "https://www.malwarebytes.com/blog/detections/trojan-floxif", "20.190.160.2 Microsoft [exploit_source]", "20.190.160.67 Microsoft [exploit_source]", "20.190.160.73 Microsoft [exploit_source]", "watson.events.data.microsoft.com [traffic manager]", "http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]", "watson.telemetry.microsoft.us [Data traffic manager]", "www.anyxxxtube.net [tracking]", "https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Apple", "display_name": "Apple", "target": null } ], "attack_ids": [ { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 609, "FileHash-SHA1": 361, "FileHash-SHA256": 1977, "domain": 460, "hostname": 992, "URL": 3115 }, "indicator_count": 7514, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658303b7e2b4417d9e24a7cc", "name": "Reddit Honeypot | Cyber Defense Firm Attack", "description": "", "modified": "2024-01-19T12:02:13.495000", "created": "2023-12-20T15:09:43.783000", "tags": [ "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha1", "sha256", "runtime process", "date", "unknown", "error", "path", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "accept", "url http", "filehashmd5", "url https", "search otx", "octoseek report", "spam author", "reddit", "tulach c2", "created", "minutes ago", "added active", "related pulses", "am", "no expiration", "indicator role", "pulses url", "showing", "entries", "dded active", "copyright", "reserved", "cve cve20170199", "win32 exe", "android", "http response", "final url", "ip address", "status code", "body length", "kb body", "headers", "manager", "files", "detections type", "name", "lord krishna", "right", "tjprojmain", "windows", "secure", "headers nel", "ssl certificate", "whois whois", "historical ssl", "referrer", "logistics", "cyber defense", "firm collection", "ioc honeypot", "list for", "malware", "open", "attack", "contacted", "dropped", "bundled", "problems", "whois record", "domains", "execution", "agent tesla", "azorult", "project", "startpage", "vhash", "authentihash", "imphash", "rich pe", "ssdeep", "file type", "magic pe32", "installer", "compiler", "nsis", "serial number", "g4 code", "signing rsa4096", "sha384", "root g4", "valid from", "algorithm", "thumbprint", "fast corporate", "from", "pe resource", "collection", "vt graph", "paulsmith", "apple tv", "apple music", "$RTD4NQU.exe", "no data", "tag count", "ioc search", "new ioc", "teams api", "contact", "search", "iocs", "summary", "nisis", "executable", "ms windows", "trid win64", "generic", "sections", "sha256 file", "type type", "chi2", "dkey english", "xml rtmanifest", "english us", "overlay", "learn", "botnet", "honeypot", "ejkaej saBey k7-^Oa" ], "references": [ "https://www.reddit.com/user/", "https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary", "Gowi Live Bot.exe", "https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary", "https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f", "nr-data.net [New Relic Tracking | Apple Private Data Collection]", "[w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise]", "tv.apple.com [Apple Backdoor| Attack | Hacking]", "name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking]", "browser.events.data.msn.com | events-sandbox.data.msn.com", "https://tulach.cc/ [phishing attacks]", "tulach.cc [AM | phishing]", "$RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy", "$RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC", "3.163.189.120 [Tracking]", "86.140.232.148 [scanning_host]", "https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus]", "http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing]", "checkip.dyndns.org [command_and_control]", "104.86.182.8 [command_and_control]", "103.224.182.253 [command_and_control]", "103.224.182.246 [command_and_control]", "www.supernetforme.com [command_and_control]", "rp.downloadastrocdn.com [command_and_control]", "ddos.dnsnb8.net [command_and_control]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "AM", "display_name": "AM", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "adware.pcappstore/veryfast", "display_name": "adware.pcappstore/veryfast", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "HoneyPot", "display_name": "HoneyPot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 392, "FileHash-SHA1": 374, "FileHash-SHA256": 5560, "URL": 7433, "domain": 1461, "hostname": 2463, "CVE": 3, "email": 1 }, "indicator_count": 17687, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "proble.co", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "proble.co", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780308854.592958 }