{ "type": "Domain", "indicator": "registry.google", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/registry.google", "alexa": "http://www.alexa.com/siteinfo/registry.google", "indicator": "registry.google", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2853084118, "indicator": "registry.google", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652396e713c1ed328a30e252", "name": "Multiple Antagonist", "description": "Multiple antagonist related to this issue.\n\n\nBased on extensive research attack not aimed at medical business. \n\nTargeting: visitors, specified female individual, associates, targets businesses, devices, digital profile , technology, insurance, communications, search redirects, targets route through BN.\n\n\n\nResearch points to multiple involved antagonists, a female target, a clear motive.", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-09T06:00:07.575000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6523978d9bc58273e16261a6", "name": "Ransom:Win32/WannaCrypt ", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-09T06:02:53.483000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "652396e713c1ed328a30e252", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b9d7b8c6e2836f2c1a5", "name": "Ransom:Win32/WannaCrypt", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T02:57:33.289000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6523978d9bc58273e16261a6", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1cc68d8465d74f49192f", "name": "Ransom:Win32/WannaCrypt", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T03:02:30.391000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6523978d9bc58273e16261a6", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f21acc5a187c1be5fcc90", "name": "Multiple Antagonist", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T03:23:24.863000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "652396e713c1ed328a30e252", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653fd3ed0900058de627cebc", "name": "Multiple Antagonist", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T16:03:57.322000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "653f21acc5a187c1be5fcc90", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "compromised_site_redirector_fromcharcode fromCharCode", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Extensive research", "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://www.superpages.com/", "Content servers: https://c.ypcdn.com/", "Hybrid Analysis via AlienVault OTX Extraction Details", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Data Analysis", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Comparative Analysis", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Alf:pua:win32/funshion", "Trojanx", "#lowfi:siga:trojanspy:msil/keylogger", "Alf:cert:installpack", "Hacktool:win32/crack", "Trojan:win32/qbot", "Webtoolbar", "Trojandownloader:win32/nemucod", "Trojan:win32/wacatac", "Maltiverse", "Bu", "Virus:dos/better_tomorrow", "Slimware.a", "Trojan:win32/swrort", "Phishingms.abc", "Worm:win32/acint", "Nircmd", "Pony", "Trojanspy:win32/nivdort", "Quasar rat", "Virus.html.gen03", "Adwind rat", "Worm:win32/macoute.a", "Alf:heraklezeval:trojandownloader:win32/unruy", "Pe.heur", "Trojan:win32/filetour", "Ransom:win32/wannacrypt", "Ransom:win32/eniqma.a", "Formbook", "Trojan:win32/presenoker", "Malicious.35bb6b", "Xrat", "Hacktool:powershell/mimikatz", "Alf:pua:win32/opencandy", "Trojan:win32/tiggre", "Worm:win32/fesber.a", "Skynet", "Filerepmetagen [pup]", "Trojanspy", "Alf:pua:win32/rostpay", "Upackv037dwing", "Cryp_xed-12", "Trojan:win32/fuery", "Troj_frs.vsn1ea19", "Mal/generic-s", "Worm:win32/nimda", "Alf:pua:win32/iobit", "Backdoor:win32/zbot", "Alf:program:win32/mediaget", "Agent.3132311", "Alf:heraklezeval:rogue:win32/fakerean", "Tofsee", "Alf:jasyp:pua:win32/systweak" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652396e713c1ed328a30e252", "name": "Multiple Antagonist", "description": "Multiple antagonist related to this issue.\n\n\nBased on extensive research attack not aimed at medical business. \n\nTargeting: visitors, specified female individual, associates, targets businesses, devices, digital profile , technology, insurance, communications, search redirects, targets route through BN.\n\n\n\nResearch points to multiple involved antagonists, a female target, a clear motive.", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-09T06:00:07.575000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6523978d9bc58273e16261a6", "name": "Ransom:Win32/WannaCrypt ", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-09T06:02:53.483000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "652396e713c1ed328a30e252", "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1b9d7b8c6e2836f2c1a5", "name": "Ransom:Win32/WannaCrypt", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T02:57:33.289000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6523978d9bc58273e16261a6", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1cc68d8465d74f49192f", "name": "Ransom:Win32/WannaCrypt", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T03:02:30.391000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "6523978d9bc58273e16261a6", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f21acc5a187c1be5fcc90", "name": "Multiple Antagonist", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T03:23:24.863000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "652396e713c1ed328a30e252", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653fd3ed0900058de627cebc", "name": "Multiple Antagonist", "description": "", "modified": "2023-11-08T04:04:40.217000", "created": "2023-10-30T16:03:57.322000", "tags": [ "heur", "united", "malicious site", "phishing site", "malware", "anonymisation", "ibm xforce", "exchange", "unsafe", "artemis", "formbook", "downloader", "facebook", "bank", "download", "union", "fuery", "team", "qbot", "bankerx", "riskware", "dropper", "nimda", "swrort", "unruy", "adwind", "trojanx", "crack", "win64", "agent", "generic", "alexa top", "million", "team top", "site", "cisco umbrella", "safe site", "malware site", "iframe", "opencandy", "exploit", "zbot", "nircmd", "acint", "downldr", "tiggre", "presenoker", "filetour", "cleaner", "conduit", "wacatac", "quasar rat", "mimikatz", "pony", "funshion", "mywebsearch", "rostpay", "iobit", "mediaget", "systweak", "behav", "genkryptik", "phishing", "alexa", "installpack", "xtrat", "webtoolbar", "trojanspy", "detection list", "blacklist http", "bottom3", "sig10vr3b813", "lcid1033", "smlen", "spn224", "bv7uet92ww", "blacklist", "denver", "s tamarac", "dr ste", "therapists", "centennial", "therahand", "review", "physical", "tomorrow", "hours mon", "dpt", "404", "gettr", "whois record", "referrer", "historical ssl", "contacted", "communicating", "resolutions", "whois whois", "whois ssl", "ssl certificate", "bottom3 http", "FileRepMetagen", "evasive,hyteod,ransomware", "AI_Score_52%", "ATT&CK fonts.gstatic.com", "mitre", "button", "path", "input", "form", "malicious url", "paypal", "team phishing", "filerepmetagen", "azorult", "service", "runescape", "business url", "delivery optout", "superpages url", "us url", "network partner", "google", "windows nt", "khtml", "gecko", "aes128gcm", "gts ca", "europeberlin", "frankfurt", "main", "sign", "people search", "state directory", "join browse", "nail salons", "popular", "the local", "nearby", "strong", "use my", "fakealert", "zpevdo" ], "references": [ "https://www.superpages.com/denver-co/bpp/amp/therahand-472908110", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer", "Hybrid Analysis via AlienVault OTX Extraction Details", "Extensive research", "Data Analysis", "Comparative Analysis", "Content servers: https://c.ypcdn.com/", "https://www.superpages.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Backdoor:Win32/Zbot", "display_name": "Backdoor:Win32/Zbot", "target": "/malware/Backdoor:Win32/Zbot" }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Systweak", "display_name": "ALF:JASYP:PUA:Win32/Systweak", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Worm:Win32/Nimda", "display_name": "Worm:Win32/Nimda", "target": "/malware/Worm:Win32/Nimda" }, { "id": "HackTool:Win32/Crack", "display_name": "HackTool:Win32/Crack", "target": "/malware/HackTool:Win32/Crack" }, { "id": "ALF:PUA:Win32/OpenCandy", "display_name": "ALF:PUA:Win32/OpenCandy", "target": null }, { "id": "Trojan:Win32/Wacatac", "display_name": "Trojan:Win32/Wacatac", "target": "/malware/Trojan:Win32/Wacatac" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "HackTool:PowerShell/Mimikatz", "display_name": "HackTool:PowerShell/Mimikatz", "target": "/malware/HackTool:PowerShell/Mimikatz" }, { "id": "ALF:Program:Win32/Mediaget", "display_name": "ALF:Program:Win32/Mediaget", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "Worm:Win32/Acint", "display_name": "Worm:Win32/Acint", "target": "/malware/Worm:Win32/Acint" }, { "id": "Adwind RAT", "display_name": "Adwind RAT", "target": null }, { "id": "Trojan:Win32/Tiggre", "display_name": "Trojan:Win32/Tiggre", "target": "/malware/Trojan:Win32/Tiggre" }, { "id": "Virus:DOS/Better_Tomorrow", "display_name": "Virus:DOS/Better_Tomorrow", "target": "/malware/Virus:DOS/Better_Tomorrow" }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "ALF:PUA:Win32/Rostpay", "display_name": "ALF:PUA:Win32/Rostpay", "target": null }, { "id": "NirCmd", "display_name": "NirCmd", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "trojanx", "display_name": "trojanx", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Trojan:Win32/Fuery", "display_name": "Trojan:Win32/Fuery", "target": "/malware/Trojan:Win32/Fuery" }, { "id": "Trojan:Win32/Filetour", "display_name": "Trojan:Win32/Filetour", "target": "/malware/Trojan:Win32/Filetour" }, { "id": "ALF:PUA:Win32/IObit", "display_name": "ALF:PUA:Win32/IObit", "target": null }, { "id": "ALF:Cert:InstallPack", "display_name": "ALF:Cert:InstallPack", "target": null }, { "id": "Ransom:Win32/WannaCrypt", "display_name": "Ransom:Win32/WannaCrypt", "target": "/malware/Ransom:Win32/WannaCrypt" }, { "id": "TROJ_FRS.VSN1EA19", "display_name": "TROJ_FRS.VSN1EA19", "target": null }, { "id": "PE.Heur", "display_name": "PE.Heur", "target": null }, { "id": "Slimware.a", "display_name": "Slimware.a", "target": null }, { "id": "PhishingMS.ABC", "display_name": "PhishingMS.ABC", "target": null }, { "id": "FileRepMetagen [PUP]", "display_name": "FileRepMetagen [PUP]", "target": null }, { "id": "malicious.35bb6b", "display_name": "malicious.35bb6b", "target": null }, { "id": "Agent.3132311", "display_name": "Agent.3132311", "target": null }, { "id": "virus.html.gen03", "display_name": "virus.html.gen03", "target": null }, { "id": "BU", "display_name": "BU", "target": null }, { "id": "Trojan:Win32/Presenoker", "display_name": "Trojan:Win32/Presenoker", "target": "/malware/Trojan:Win32/Presenoker" }, { "id": "Trojan:Win32/Swrort", "display_name": "Trojan:Win32/Swrort", "target": "/malware/Trojan:Win32/Swrort" }, { "id": "ALF:PUA:Win32/Funshion", "display_name": "ALF:PUA:Win32/Funshion", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": "653f21acc5a187c1be5fcc90", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14, "hostname": 313, "FileHash-MD5": 187, "FileHash-SHA1": 102, "domain": 115, "URL": 134, "FileHash-SHA256": 169, "FilePath": 1, "CIDR": 1 }, "indicator_count": 1036, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "936 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "registry.google", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "registry.google", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351065.0811932 }