{
"type": "Domain",
"indicator": "remail.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/remail.com",
"alexa": "http://www.alexa.com/siteinfo/remail.com",
"indicator": "remail.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2828986547,
"indicator": "remail.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 48,
"pulses": [
{
"id": "69544c73467a9c3858556698",
"name": "Mira Malware Drive By Compromise Google.com search engine | Microsoft | Apple",
"description": "Microsoft Mira Malware Drive By Compromise Google.com.\n Device infected with MyDoom zombie maker. \nEstablished user location, screen captures, corrupted Apple device via Google search engine browser redirect. Attack began 12.30.2025 past midnight. Threat actor powered on cameras, microphones, and preformed their hacker intentions. #stateofcolorado",
"modified": "2026-01-29T21:02:54.448000",
"created": "2025-12-30T22:04:35.565000",
"tags": [
"content",
"kb body",
"p3p cp",
"date tue",
"gmt server",
"html info",
"12.30.2025",
"urls",
"url add",
"http",
"ip address",
"related nids",
"files location",
"united",
"flag united",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network",
"abuse contact",
"orgid",
"address",
"orgabuseref",
"postalcode",
"ripe",
"email",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"ssl certificate",
"execution",
"google llc",
"ascii text",
"mitre att",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"data upload",
"extraction",
"ta0004",
"evasion ta0005",
"injection t1055",
"t1055",
"col ta0011",
"l t1071",
"encrypted ch",
"t1573",
"present nov",
"present oct",
"certificate",
"present dec",
"aaaa",
"search",
"servers",
"record value",
"emails",
"title",
"leveidiuelabs",
"include",
"review",
"exclude data",
"suggested ogs",
"find s",
"command decode",
"development att",
"initial access",
"t1189 driveby",
"html",
"execution att",
"href",
"size",
"pattern match",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"malware",
"trojan",
"mira malware",
"push",
"dynamicloader",
"windows nt",
"msie",
"wow64",
"slcc2",
"media center",
"yara rule",
"program",
"runtime error",
"medium",
"python",
"win64",
"unknown",
"guard",
"accept",
"write",
"launcher",
"updater",
"smartassembly",
"delphi",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"copy",
"next",
"mydoom checkin",
"win32mydoom dec",
"name servers",
"creation date",
"passive dns",
"domain",
"expiration date",
"hostname",
"date",
"google chrome",
"screen capture",
"locate human",
"target",
"black hat",
"apple",
"microsoft",
"google",
"stateofcolorado",
"christopher ahmann",
"brian sabey"
],
"references": [
"Google.com sorry not sorry index | https://www.google.com/search",
"cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025",
"redirector.gvt1.com",
"Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc",
"microsoft-falcon.net",
"hattchett.ddns.net",
"Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx",
"XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv",
"https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary",
"x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs",
"https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co",
"https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x",
"Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware",
"Yara Detections SUSP_Imphash_Mar23_2",
"https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com",
"userlocation-prod.ingress.kors.microsoft-falcon.net ->",
"\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->",
"To get future Google Chrome updates, you'll need"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Mira",
"display_name": "Trojan:Win32/Mira",
"target": "/malware/Trojan:Win32/Mira"
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Mydoom Checkin",
"display_name": "Mydoom Checkin",
"target": null
}
],
"attack_ids": [
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1048.001",
"name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1939,
"hostname": 1205,
"URL": 3310,
"domain": 432,
"FileHash-MD5": 396,
"CIDR": 3,
"email": 16,
"FileHash-SHA1": 373,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 7688,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "121 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66538f4db3a8cf5fb35edbd7",
"name": "IOCs sampled w. Any[.]runs sandbox from 'logging into my UAlberta account'",
"description": "UAlberta - IOCs sampled from Any[.]Runs VM Sandbox to extract IOCs from the act of 'logging into my U of A Gmail Account' (Rogue), further analysis conducted on pcap file.\n\n-05.26.24: Need to upload pcap file IOCs (Done & Retested on 06.04.24)\n\n-CVE 2016-0101, CVE 2004-0932",
"modified": "2025-10-16T15:04:01.169000",
"created": "2024-05-26T19:36:45.007000",
"tags": [
"please",
"javascript",
"relaystatehttps",
"UAlberta"
],
"references": [
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/iocs",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/graph",
"https://www.virustotal.com/gui/collection/7282647dbf53915db766e8afd03c485ab3596962670c15c427206ce174ca78f0/iocs",
"hxxps://tria[.]ge/240604-tnwvzsce3s",
"hxxps://viz[.]greynoise[.]io/analysis/02c0537c-d5b6-4881-bdde-9ed84a978cfe",
"Report ID: ca0154b1-39cc-44f5-9f54-a669132dff60",
"hxxps://lab[.]dynamite[.]ai/pcaps/ae3b422f-4d10-4ebc-bf35-5e19d0aaae75",
"hxxps://app[.]any[.]run/tasks/60a27c5e-ddd3-44d8-a4af-a5f90cdd4660",
"https://www.virustotal.com/graph/embed/g1283d60e0d064912af05e1ed528df7b7d1af3298065040ce9863afbea677becd?theme=dark",
"hxxps://viz.greynoise.io/analysis/0ec05e79-be67-4f45-82c4-96ca96aa007c",
"https://urlscan.io/user/submit/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 128,
"FileHash-MD5": 12,
"FileHash-SHA1": 12,
"FileHash-SHA256": 635,
"URL": 250,
"hostname": 235,
"CIDR": 27
},
"indicator_count": 1299,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68bbf3e40e3ce8a74aa89545",
"name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang",
"description": "",
"modified": "2025-10-06T08:03:23.285000",
"created": "2025-09-06T08:42:12.787000",
"tags": [
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"search",
"title",
"date",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"get http",
"dns resolutions",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cnamazon rsa",
"m03 oamazon",
"thumbprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"yara detections",
"contacted",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"malicious ids",
"detections tls",
"indicator role",
"title added",
"active related",
"entries",
"role title",
"added active",
"filehashmd5",
"ipv4"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
},
{
"id": "RokRAT",
"display_name": "RokRAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Hospitality",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 539,
"FileHash-SHA1": 389,
"FileHash-SHA256": 3386,
"domain": 862,
"hostname": 1155,
"URL": 4091,
"CVE": 3,
"SSLCertFingerprint": 5
},
"indicator_count": 10430,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "327 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "679bdc31d9d93849b69ad652",
"name": "Google Pixel Sample 2 - 01.30.25 (unenriched)",
"description": "Google Pixel Device (Telus ISP, Protected by Norton/Lifelock)\nIOCs collected from Bitdefender Gravity Zone\n\nMight need to edit this pulse later - I think some things were imported from not just sample Pixel Device, but Sample iOS Device too (Either way IOCs from Gravity Zone from Both Devices - 'apps' would just be missing from iOS Device) - will edit later",
"modified": "2025-03-01T20:02:53.112000",
"created": "2025-01-30T20:08:17.972000",
"tags": [
"silent alert",
"pending",
"access",
"site blocked",
"host site",
"unknown",
"pdf file",
"initial access",
"persistence",
"collection",
"impact",
"execution",
"music",
"service",
"pass",
"Google",
"Pixel",
"Gravityzone",
"Apple",
"Telus",
"Norton"
],
"references": [
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/iocs",
"https://www.virustotal.com/graph/embed/g0ebb8822924a4f37914ac37300f822217aa6d1d68c5346ac9daa51110b89ed43?theme=dark",
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/summary"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Technology",
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 207,
"FileHash-SHA1": 31,
"FileHash-SHA256": 563,
"email": 2,
"hostname": 201,
"URL": 4604,
"domain": 92
},
"indicator_count": 5700,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "455 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f3e394bcf868816a29c2dc",
"name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton",
"description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.",
"modified": "2024-11-02T15:05:54.240000",
"created": "2024-03-15T05:58:44.839000",
"tags": [
"ISP",
"Google",
"Telus",
"Norton",
"Pixel"
],
"references": [
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1231,
"FileHash-SHA1": 1215,
"FileHash-SHA256": 99653,
"URL": 158638,
"domain": 49468,
"hostname": 77233,
"email": 6,
"CIDR": 5450,
"CVE": 55
},
"indicator_count": 392949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "574 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "660b176a98b0c92ba5a962bc",
"name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise",
"description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.",
"modified": "2024-09-04T05:01:56.993000",
"created": "2024-04-01T20:22:02.851000",
"tags": [
"BEC"
],
"references": [
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs",
"https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark",
"https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark",
"https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore",
"https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America",
"Netherlands"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 233,
"FileHash-SHA1": 230,
"FileHash-SHA256": 6703,
"URL": 4450,
"CIDR": 3,
"domain": 6223,
"hostname": 2863,
"email": 7,
"CVE": 53
},
"indicator_count": 20765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "634 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c5dc9fa0c2264bdbb7d146",
"name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/ ",
"description": "",
"modified": "2024-08-21T12:25:03.593000",
"created": "2024-08-21T12:25:03.593000",
"tags": [
"cisco umbrella",
"site",
"malware",
"alexa top",
"team top",
"million",
"heur",
"safe site",
"malicious site",
"phishing site",
"artemis",
"alexa",
"agent",
"xtrat",
"iframe",
"downldr",
"presenoker",
"riskware",
"unsafe",
"zbot",
"crypt",
"team",
"emailworm",
"blacknet rat",
"stealer",
"blacklist https",
"name verdict",
"no data",
"tag count",
"tld count",
"count blacklist",
"tag tag",
"tld tld",
"pattern match",
"jpeg image",
"jfif standard",
"file",
"windows nt",
"ascii text",
"et tor",
"known tor",
"relayrouter",
"exit",
"date",
"unknown",
"general",
"hybrid",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"detection list",
"https",
"http",
"urls",
"maltiverse",
"html",
"bank",
"phishing",
"download",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"exploit",
"crack",
"generic",
"bazaloader",
"media",
"facebook",
"service",
"runescape",
"webtoolbar",
"node tcp",
"traffic",
"tor known",
"tor relayrouter",
"united",
"spammer",
"execution",
"whois record",
"apple ios",
"pe resource",
"ssl certificate",
"apple private",
"data collection",
"apeaksoft ios",
"privilege",
"contacted",
"hacktool",
"startpage",
"banker",
"keylogger"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655af3b210e8f57cabaa0656",
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 158,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3615,
"domain": 2058,
"hostname": 3773,
"CVE": 15,
"URL": 10672,
"email": 1
},
"indicator_count": 20417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "648 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b93e70b75e7dce7168f4dd",
"name": "Google - Lumma Stealer| QakBot | Emotet",
"description": "Lumma is classified as a stealer - a type of malware that extracts sensitive information from infected devices.\n\nYou can't see it. You will see https://www.google.com and your search. It's hidden spyware. extremely malicious. Targeted individual.",
"modified": "2024-02-29T17:01:09.717000",
"created": "2024-01-30T18:22:40.905000",
"tags": [
"ssl certificate",
"whois record",
"threat roundup",
"contacted",
"historical ssl",
"referrer",
"urls url",
"whois whois",
"october",
"resolutions",
"august",
"execution",
"installer",
"iframe",
"malware",
"core",
"emotet",
"lumma stealer",
"ransomexx",
"azorult",
"ursnif",
"hacktool",
"june",
"qakbot",
"qbot",
"april",
"targeting",
"tsara brashears",
"active threat"
],
"references": [
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"toolbarqueries.google.com.uy"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Azorult",
"display_name": "Azorult",
"target": null
},
{
"id": "RansomEXX",
"display_name": "RansomEXX",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
}
],
"attack_ids": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.003",
"name": "Mail Protocols",
"display_name": "T1071.003 - Mail Protocols"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "T1030",
"name": "Data Transfer Size Limits",
"display_name": "T1030 - Data Transfer Size Limits"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [
"Civil Society"
],
"TLP": "white",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 50,
"FileHash-SHA1": 46,
"FileHash-SHA256": 3377,
"hostname": 2502,
"URL": 8531,
"domain": 1250,
"CVE": 2
},
"indicator_count": 15758,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a836104ede1963b0502042",
"name": "Not even Google",
"description": "https://shadow.googlecnapps.cn\njoshuajenkinslaw.com",
"modified": "2024-02-16T17:02:44.115000",
"created": "2024-01-17T20:18:24.316000",
"tags": [
"ssl certificate",
"threat roundup",
"whois record",
"march",
"october",
"contacted",
"july",
"april",
"june",
"roundup",
"august",
"copy",
"execution",
"plugx",
"goldfinder",
"sibot",
"hacktool",
"february",
"ransomexx",
"ermac",
"emotet",
"agent tesla",
"nokoyawa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1315,
"URL": 1384,
"domain": 327,
"hostname": 516,
"FileHash-MD5": 19,
"FileHash-SHA1": 19
},
"indicator_count": 3580,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "834 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659b4cea3e6da3a00306ae11",
"name": "Ragnar Locker | Cowrie Hash",
"description": "Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker. Cowrie also functions as an SSH and telnet proxy to observe attacker behavior to another system. Cowrie was developed from Kippo.\n\nRagnar Locker: \nAffected platforms: Microsoft Windows\nImpacted parties: Microsoft Windows & Linux Users\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\nSeverity level: High\n\nI'm not sure. It seems this 'Law' group aquires and sell your digital profiles, PHI. PII, Banking , Insurance credentials on the dark web.",
"modified": "2024-02-06T23:04:54.022000",
"created": "2024-01-08T01:16:26.884000",
"tags": [
"contacted",
"pe resource",
"execution",
"problems",
"alienvault part",
"dropped",
"kgs0",
"kls0",
"collections",
"schema abuse",
"iframe",
"united",
"as29791",
"search",
"entries",
"passive dns",
"urls",
"service",
"date",
"unknown",
"japan unknown",
"body",
"czechia unknown",
"sinkhole",
"emotet",
"date hash",
"avast avg",
"mtb dec",
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"samples",
"tulach",
"tulach.cc",
"sabey data center",
"malware server",
"gorf",
"set cookie",
"united kingdom",
"script urls",
"trojan",
"status",
"showing",
"cookie",
"template",
"johnnsabey",
"briansabey",
"data center",
"choco",
"name",
"win32 exe",
"domains",
"registrar",
"markmonitor inc",
"ip detections",
"country",
"us execution",
"parents",
"whois record",
"whois whois",
"ssl certificate",
"apple ios",
"red team",
"tsara brashears",
"historical ssl",
"hacktool",
"copy",
"malicious",
"life",
"unsafe",
"server",
"registrar abuse",
"contact phone",
"domain status",
"registrar whois",
"email",
"registry domain",
"registry expiry",
"algorithm",
"v3 serial",
"number",
"issuer",
"key algorithm",
"ec oid",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"info",
"first",
"http method",
"http requests",
"connect http",
"get dns",
"resolutions",
"ip traffic",
"intel",
"ms windows",
"write c",
"pe32",
"pe32 executable",
"copy c",
"show",
"free",
"recon",
"benjamin",
"write",
"worm",
"win32",
"june",
"delphi",
"code",
"malware",
"next",
"using",
"urls http",
"benjamin",
"nids",
"cowrie hashes",
"dns replication",
"files",
"sample",
"sender",
"us postal",
"cowrie",
"iranian actor",
"shipping",
"healthcare",
"ragnar locker",
"qakbot",
"qbot",
"pii",
"phi",
"privacy",
"honeypot",
"referrer",
"spyware",
"android",
"nanocore",
"banker",
"keylogger"
],
"references": [
"choco.exe",
"media-router-fp74.prod.media.vip.bf1.yahoo.com",
"https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true",
"httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/",
"http://security.didici.cc/cve",
"https://whois.domaintools.com/gov1.info",
"https://nsa.gov1.info/utah-data-center/",
"https://github.com/cowrie/cowrie",
"Cowrie (honeypot) - Wikipedia",
"https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware"
],
"public": 1,
"adversary": "Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "ALF:Win32/GbdInf_123DF591.J!ibt",
"display_name": "ALF:Win32/GbdInf_123DF591.J!ibt",
"target": "/malware/ALF:Win32/GbdInf_123DF591.J!ibt"
},
{
"id": "SABEY",
"display_name": "SABEY",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f28c33a2!ibt",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_ade36583!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_ade36583!ibt",
"target": null
},
{
"id": "ALF:Ransom:Win32/Babax.SG!MTB",
"display_name": "ALF:Ransom:Win32/Babax.SG!MTB",
"target": null
},
{
"id": "ALF:SpikeAexR.SECTHDR",
"display_name": "ALF:SpikeAexR.SECTHDR",
"target": null
},
{
"id": "ALF:Trojan:MSIL/AgentTesla.KM",
"display_name": "ALF:Trojan:MSIL/AgentTesla.KM",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker , , ALF:Trojan:Win32/AutoRun.PI!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt",
"target": null
},
{
"id": "ALF:HeraklezEval:Ransom:MSIL/Gorf",
"display_name": "ALF:HeraklezEval:Ransom:MSIL/Gorf",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "Qakbot",
"display_name": "Qakbot",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "Ragnar Locker",
"display_name": "Ragnar Locker",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "Trojan",
"display_name": "Trojan",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
},
{
"id": "NanCore RAY",
"display_name": "NanCore RAY",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [
"Healthcare",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 35,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 347,
"FileHash-SHA1": 222,
"FileHash-SHA256": 6645,
"hostname": 2744,
"URL": 9123,
"domain": 3065,
"email": 4
},
"indicator_count": 22150,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "844 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655a6dda5d743c8f48635ce1",
"name": "Critical cyber threat. Same threats found in regular looking blogs",
"description": "malvertizing, privilege, mocking, phishing, fraud, trojans, info stealers, trojan.dacic/blocker, cagrt.exe, aspeaksoft, iOS, apple unlocker, keylogger \nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\nMatches rule ET MALWARE Win32/Pykspa.C Public IP Check\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\nhttps://www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/",
"modified": "2023-12-19T20:03:47.953000",
"created": "2023-11-19T20:19:38.448000",
"tags": [
"cisco umbrella",
"site",
"malware",
"alexa top",
"team top",
"million",
"heur",
"safe site",
"malicious site",
"phishing site",
"artemis",
"alexa",
"agent",
"xtrat",
"iframe",
"downldr",
"presenoker",
"riskware",
"unsafe",
"zbot",
"crypt",
"team",
"emailworm",
"blacknet rat",
"stealer",
"blacklist https",
"name verdict",
"no data",
"tag count",
"tld count",
"count blacklist",
"tag tag",
"tld tld",
"pattern match",
"jpeg image",
"jfif standard",
"file",
"windows nt",
"ascii text",
"et tor",
"known tor",
"relayrouter",
"exit",
"date",
"unknown",
"general",
"hybrid",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"detection list",
"https",
"http",
"urls",
"maltiverse",
"html",
"bank",
"phishing",
"download",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"exploit",
"crack",
"generic",
"bazaloader",
"media",
"facebook",
"service",
"runescape",
"webtoolbar",
"node tcp",
"traffic",
"tor known",
"tor relayrouter",
"united",
"spammer",
"execution",
"whois record",
"apple ios",
"pe resource",
"ssl certificate",
"apple private",
"data collection",
"apeaksoft ios",
"privilege",
"contacted",
"hacktool",
"startpage",
"banker",
"keylogger"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 158,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3615,
"domain": 2058,
"hostname": 3773,
"CVE": 15,
"URL": 10672,
"email": 1
},
"indicator_count": 20417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "893 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655af3b210e8f57cabaa0656",
"name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashesrswww.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears",
"description": "",
"modified": "2023-12-19T20:03:47.953000",
"created": "2023-11-20T05:50:42.003000",
"tags": [
"cisco umbrella",
"site",
"malware",
"alexa top",
"team top",
"million",
"heur",
"safe site",
"malicious site",
"phishing site",
"artemis",
"alexa",
"agent",
"xtrat",
"iframe",
"downldr",
"presenoker",
"riskware",
"unsafe",
"zbot",
"crypt",
"team",
"emailworm",
"blacknet rat",
"stealer",
"blacklist https",
"name verdict",
"no data",
"tag count",
"tld count",
"count blacklist",
"tag tag",
"tld tld",
"pattern match",
"jpeg image",
"jfif standard",
"file",
"windows nt",
"ascii text",
"et tor",
"known tor",
"relayrouter",
"exit",
"date",
"unknown",
"general",
"hybrid",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"detection list",
"https",
"http",
"urls",
"maltiverse",
"html",
"bank",
"phishing",
"download",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"exploit",
"crack",
"generic",
"bazaloader",
"media",
"facebook",
"service",
"runescape",
"webtoolbar",
"node tcp",
"traffic",
"tor known",
"tor relayrouter",
"united",
"spammer",
"execution",
"whois record",
"apple ios",
"pe resource",
"ssl certificate",
"apple private",
"data collection",
"apeaksoft ios",
"privilege",
"contacted",
"hacktool",
"startpage",
"banker",
"keylogger"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "655a6c5a03c0b3b2d0964986",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 158,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3615,
"domain": 2058,
"hostname": 3773,
"CVE": 15,
"URL": 10672,
"email": 1
},
"indicator_count": 20417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "893 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "655a6c5a03c0b3b2d0964986",
"name": "www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/",
"description": "malvertizing, mocking, phishing, fraud, trojans, info stealers, trojan.dacic/blocker, cagrt.exe\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\nMatches rule ET MALWARE Win32/Pykspa.C Public IP Check\nMatches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\nhttps://www.ahindian.com/s/jeffrey-reimer-puts-his-love-on-top-tsara-brashears/",
"modified": "2023-12-19T20:03:47.953000",
"created": "2023-11-19T20:13:14.160000",
"tags": [
"cisco umbrella",
"site",
"malware",
"alexa top",
"team top",
"million",
"heur",
"safe site",
"malicious site",
"phishing site",
"artemis",
"alexa",
"agent",
"xtrat",
"iframe",
"downldr",
"presenoker",
"riskware",
"unsafe",
"zbot",
"crypt",
"team",
"emailworm",
"blacknet rat",
"stealer",
"blacklist https",
"name verdict",
"no data",
"tag count",
"tld count",
"count blacklist",
"tag tag",
"tld tld",
"pattern match",
"jpeg image",
"jfif standard",
"file",
"windows nt",
"ascii text",
"et tor",
"known tor",
"relayrouter",
"exit",
"date",
"unknown",
"general",
"hybrid",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"detection list",
"https",
"http",
"urls",
"maltiverse",
"html",
"bank",
"phishing",
"download",
"union",
"outbreak",
"downer",
"shell",
"mediamagnet",
"sality",
"swrort",
"adaptivebee",
"unruy",
"iobit",
"dropper",
"trojanx",
"installcore",
"webshell",
"exploit",
"crack",
"generic",
"bazaloader",
"media",
"facebook",
"service",
"runescape",
"webtoolbar",
"node tcp",
"traffic",
"tor known",
"tor relayrouter",
"united",
"spammer",
"execution",
"whois record",
"apple ios",
"pe resource",
"ssl certificate",
"apple private",
"data collection",
"apeaksoft ios",
"privilege",
"contacted",
"hacktool",
"startpage",
"banker",
"keylogger"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 158,
"FileHash-SHA1": 125,
"FileHash-SHA256": 3615,
"domain": 2058,
"hostname": 3773,
"CVE": 15,
"URL": 10672,
"email": 1
},
"indicator_count": 20417,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "893 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a81314a587dca8a7e075",
"name": "Blackshades | Remote attacks | Malicious Google Search | DNS Requests",
"description": "",
"modified": "2023-12-06T16:57:55.292000",
"created": "2023-12-06T16:57:55.292000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1407,
"hostname": 557,
"domain": 226,
"FileHash-MD5": 860,
"FileHash-SHA1": 488,
"URL": 589
},
"indicator_count": 4127,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a80d15fdb40571638038",
"name": "Blackshades | Remote attacks | Malicious Google Search | DNS Requests",
"description": "",
"modified": "2023-12-06T16:57:49.914000",
"created": "2023-12-06T16:57:49.914000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1407,
"hostname": 557,
"domain": 226,
"FileHash-MD5": 860,
"FileHash-SHA1": 488,
"URL": 589
},
"indicator_count": 4127,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570980330da96e344f9efc0",
"name": "Undefined Name",
"description": "",
"modified": "2023-12-06T15:49:23.382000",
"created": "2023-12-06T15:49:23.382000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 531,
"domain": 760,
"URL": 1994,
"hostname": 554,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657097fd7b69b80bc3d231c3",
"name": "website btn",
"description": "",
"modified": "2023-12-06T15:49:17.617000",
"created": "2023-12-06T15:49:17.617000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 531,
"domain": 760,
"URL": 1994,
"hostname": 554,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657095cae448a5d8d4bb49d2",
"name": "192.168.0.86 - j2br7yp43f.dattolocal.net - malicious abuse on home router",
"description": "",
"modified": "2023-12-06T15:39:54.390000",
"created": "2023-12-06T15:39:54.390000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 557,
"hostname": 249,
"URL": 605,
"domain": 32,
"FileHash-MD5": 40,
"FileHash-SHA1": 40
},
"indicator_count": 1523,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570959fb2297900eabc7fc9",
"name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS",
"description": "",
"modified": "2023-12-06T15:39:11.260000",
"created": "2023-12-06T15:39:11.260000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 756,
"FileHash-MD5": 14,
"FileHash-SHA1": 14,
"domain": 224,
"URL": 598,
"hostname": 222
},
"indicator_count": 1828,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657091664c8bf557c17688e3",
"name": "website bluetooth beacon nubotnet signed by M$",
"description": "",
"modified": "2023-12-06T15:21:10.084000",
"created": "2023-12-06T15:21:10.084000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 531,
"domain": 760,
"URL": 1994,
"hostname": 554,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "906 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657080c91dad41198eb749f7",
"name": "Hartintercivic.com",
"description": "",
"modified": "2023-12-06T14:10:17.112000",
"created": "2023-12-06T14:10:17.112000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1257,
"domain": 421,
"hostname": 1050,
"URL": 2321,
"FileHash-MD5": 1,
"FileHash-SHA1": 14
},
"indicator_count": 5064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "907 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401fddb74fe1ea8506132d",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:57.026000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d5ee5a7359a5e815a6a",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:18.712000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d73e96dd70037ed22a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:39.802000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d76b057b79aaf7ba4a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:40.239000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d8480e4a9ed725f6458",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:56.820000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401da888067e7f6379d23e",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:32.141000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401dbe47ce126e7468a2dc",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:54.411000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 85,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6544cbbca7610e92e4262c47",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-11-03T10:30:20.965000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "654140bae73f795aa914e8de",
"export_count": 108,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "654140bae73f795aa914e8de",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-31T18:00:26.439000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65401d73e96dd70037ed22a7",
"export_count": 98,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65403022038832e42175601f",
"name": "CRITICAL!!! | Health Insurance Cyber threat Matrix - Darkside 2020 Ecosystem .BEware ",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:37:22.425000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65402a8dec948bec8b0a0372",
"export_count": 95,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4604,
"hostname": 4187,
"CIDR": 2,
"CVE": 23,
"URI": 1
},
"indicator_count": 25942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65402a8dec948bec8b0a0372",
"name": "24 CVE's | Health Liability bDarkside 2020 Ecosystem .BEware",
"description": "Matrix of cyber crime attacks appears to involved legal entities and a division of Workers Compensation Colorado, possibly used nationally. Targeting, monitoring, tracking, malvertizing, cyber attacks, CNC. Critical.\nCould probably be disputed $$$$ though undisputable. \nEd Said. \nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar\t\t\t\nCVE-2020-0601\t\t\t\t\t\nCVE-2018-8174\t\t\t\nCVE-2018-4893\t\t\t\nCVE-2018-0802\t\t\t\nCVE-2017-8759\t\t\t\t\t\t\nCVE-2017-8464\t\t\t\nCVE-2017-1188\t\t\t\t\nCVE-2017-0143\t\t\t\nCVE-2016-7262\t\t\t\nCVE-2014-6352\t\t\t\nCVE-2013-2465\t\t\t\nCVE-2011-2110\t\t\t\nCVE-2011-0609\t\t\t\nCVE-2010-2568\t\t\t\nCVE-2018-8453\t\t\t\nCVE-2013-1331\nCVE-2012-1856\t\t\t\t\nCVE-2012-0158\t\t\t\t\t\t\nCVE-2017-8570\t\t\t\nCVE-2017-11882\t\t\t\nCVE-2017-0199\t\t\t\t\t\t\nCVE-2017-0147\t\t\t\t\t\t\nCVE-2014-3153",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:13:33.427000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401fcb063a0a34fa323603",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:39.980000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 87,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "914 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f1dd94c3c9a46abe24f02",
"name": "Blackshades | Remote attacks | Malicious Google Search | DNS Requests",
"description": "",
"modified": "2023-11-06T03:00:36.709000",
"created": "2023-10-30T03:07:05.227000",
"tags": [
"noname057",
"song culture",
"brashears music",
"culture",
"tsara lynn",
"falcon sandbox",
"brashears song",
"nights",
"kedence",
"service",
"sandbox",
"cool",
"music",
"secure",
"httponly",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"united",
"flag",
"contacted",
"emotet",
"NSIS",
"trellian",
"apple",
"apk",
"os",
"ios",
"android",
"google",
"Google search",
"dns",
"query",
"poisoning",
"hacking",
"injection",
"login",
"logon",
"phishing",
"scanning_host",
"VM",
"file query",
"detect",
"windir",
"api call",
"api",
"\"%WINDIR%\\System32\\vm3dum_loader.dll\" source API Call",
"\"iexplore.exe\" trying to touch file",
"attack",
"target",
"jeffrey",
"reimer",
"details \"iexplore.exe\" trying to touch file \"%WINDIR%\\System32\\v",
"suricata",
"alert",
"cyber threat",
"dpt",
"porn",
"pixelrz",
"dead",
"hifi",
"track",
"jeffrey reimer dpt",
"redirect",
"pattern match",
"tbmisch",
"contentlength",
"mcfunction",
"ck id",
"t1071",
"mitre att",
"ck matrix",
"drops",
"content reputation",
"malware",
"malvertizing",
"misc attack",
"mitre",
"file access",
"files marked clean",
"evasive",
"cisco umbrella",
"safe site",
"site",
"windows nt",
"file",
"network related",
"https webserver",
"getpost",
"get search",
"geckohost",
"jpeg image",
"jfif",
"png image",
"gif image",
"binary file",
"t1105",
"show technique",
"click",
"blacklist",
"generic malware",
"DNS Requests",
"persistence",
"gmt0600",
"programfiles",
"filename",
"indexed",
"network",
"hosts process",
"openurl c",
"prefetch2 name",
"ssl certificate",
"whois record",
"threat roundup",
"execution",
"march",
"july",
"communicating",
"october",
"september",
"referrer",
"june",
"april",
"august",
"copy",
"goldfinder",
"sibot",
"hacktool",
"february",
"skynet",
"malicious",
"download",
"malware",
"relic",
"monitoring",
"installer",
"project",
"core",
"lumma stealer",
"metro",
"Anonymizer",
"virut",
"scanning ip's",
"Cobalt Strike",
"keybase",
"spam",
"anonymisation services",
"malicious host",
"Botnet Command and Control",
"Phishing - Mr.Looquer",
"covid19 scam",
"social engineering",
"Jumpseller phishing",
"phishing: Amazon.com",
"unauthorized scanning of hosts",
"phishing huntington bank",
"malicious url",
"malicious server",
"Threats200220200050",
"ntp open resolver",
"blackshades",
"infostealer",
"rat",
"infinity",
"msil",
"adware",
"adload",
"gamarue",
"pua",
"keyloggers",
"browser malware",
"resolutions",
"whois whois",
"historical ssl",
"subdomains",
"whois siblings",
"bradesco",
"paypal phishing",
"bad traffic",
"Yandex",
"hidden users"
],
"references": [
"https://www.hybrid-analysis.com/sample/",
"https://www.google.com/search?q=tsara+brashears&tbm=isch&chips=q:tsara+brashears",
"Research and Data analysis",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://pixelrz.com/lists/keywords/tsara-brashears",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"DNS Server - Public-dns.info",
"Autonomous System",
"AS13414 Twitter Inc",
"AS32934 Facebook Inc",
"AS15133 MCI Communications Services Inc d b a Verizon Business",
"AS13335 - Cloudflare, Inc. - United States",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"wTools",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expirati",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-r https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tshttp://pixelrz.com/lists/ke"
],
"public": 1,
"adversary": "[Miscellaneous, Unnamed]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Gen:Trojan.Heur",
"display_name": "Gen:Trojan.Heur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet - S0367",
"display_name": "Emotet - S0367",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "GoldFinder - S0597",
"display_name": "GoldFinder - S0597",
"target": null
},
{
"id": "BlackShades Crypter",
"display_name": "BlackShades Crypter",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": "6520e93e8cf8f83a2ccfd46b",
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 860,
"FileHash-SHA1": 488,
"FileHash-SHA256": 1407,
"domain": 226,
"hostname": 557,
"URL": 589
},
"indicator_count": 4127,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "937 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6520e6e8396ce5b825a4edb9",
"name": "Blackshades | Remote attacks | Malicious Google Search | DNS Requests",
"description": "Botnet Command and Control \nCobalt Strike\nMisc Attack\nHidden users\nTargets: network, communication, devices, url, music publishing company, artists, owner, associates, advertising, visibility, reputations, digital profile.\nCountry origination: United States",
"modified": "2023-11-06T03:00:36.709000",
"created": "2023-10-07T05:04:40.671000",
"tags": [
"noname057",
"song culture",
"brashears music",
"culture",
"tsara lynn",
"falcon sandbox",
"brashears song",
"nights",
"kedence",
"service",
"sandbox",
"cool",
"music",
"secure",
"httponly",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"united",
"flag",
"contacted",
"emotet",
"NSIS",
"trellian",
"apple",
"apk",
"os",
"ios",
"android",
"google",
"Google search",
"dns",
"query",
"poisoning",
"hacking",
"injection",
"login",
"logon",
"phishing",
"scanning_host",
"VM",
"file query",
"detect",
"windir",
"api call",
"api",
"\"%WINDIR%\\System32\\vm3dum_loader.dll\" source API Call",
"\"iexplore.exe\" trying to touch file",
"attack",
"target",
"jeffrey",
"reimer",
"details \"iexplore.exe\" trying to touch file \"%WINDIR%\\System32\\v",
"suricata",
"alert",
"cyber threat",
"dpt",
"porn",
"pixelrz",
"dead",
"hifi",
"track",
"jeffrey reimer dpt",
"redirect",
"pattern match",
"tbmisch",
"contentlength",
"mcfunction",
"ck id",
"t1071",
"mitre att",
"ck matrix",
"drops",
"content reputation",
"malware",
"malvertizing",
"misc attack",
"mitre",
"file access",
"files marked clean",
"evasive",
"cisco umbrella",
"safe site",
"site",
"windows nt",
"file",
"network related",
"https webserver",
"getpost",
"get search",
"geckohost",
"jpeg image",
"jfif",
"png image",
"gif image",
"binary file",
"t1105",
"show technique",
"click",
"blacklist",
"generic malware",
"DNS Requests",
"persistence",
"gmt0600",
"programfiles",
"filename",
"indexed",
"network",
"hosts process",
"openurl c",
"prefetch2 name",
"ssl certificate",
"whois record",
"threat roundup",
"execution",
"march",
"july",
"communicating",
"october",
"september",
"referrer",
"june",
"april",
"august",
"copy",
"goldfinder",
"sibot",
"hacktool",
"february",
"skynet",
"malicious",
"download",
"malware",
"relic",
"monitoring",
"installer",
"project",
"core",
"lumma stealer",
"metro",
"Anonymizer",
"virut",
"scanning ip's",
"Cobalt Strike",
"keybase",
"spam",
"anonymisation services",
"malicious host",
"Botnet Command and Control",
"Phishing - Mr.Looquer",
"covid19 scam",
"social engineering",
"Jumpseller phishing",
"phishing: Amazon.com",
"unauthorized scanning of hosts",
"phishing huntington bank",
"malicious url",
"malicious server",
"Threats200220200050",
"ntp open resolver",
"blackshades",
"infostealer",
"rat",
"infinity",
"msil",
"adware",
"adload",
"gamarue",
"pua",
"keyloggers",
"browser malware",
"resolutions",
"whois whois",
"historical ssl",
"subdomains",
"whois siblings",
"bradesco",
"paypal phishing",
"bad traffic",
"Yandex",
"hidden users"
],
"references": [
"https://www.hybrid-analysis.com/sample/",
"https://www.google.com/search?q=tsara+brashears&tbm=isch&chips=q:tsara+brashears",
"Research and Data analysis",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer No Expiration http://pixelrz.com/lists/keywords/tsara-brashears-dead",
"http://pixelrz.com/lists/keywords/tsara-brashears",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"DNS Server - Public-dns.info",
"Autonomous System",
"AS13414 Twitter Inc",
"AS32934 Facebook Inc",
"AS15133 MCI Communications Services Inc d b a Verizon Business",
"AS13335 - Cloudflare, Inc. - United States",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"https://amp.hifiporn.cc/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expirati",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expirati"
],
"public": 1,
"adversary": "[Miscellaneous, Unnamed]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Gen:Trojan.Heur",
"display_name": "Gen:Trojan.Heur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet - S0367",
"display_name": "Emotet - S0367",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "GoldFinder - S0597",
"display_name": "GoldFinder - S0597",
"target": null
},
{
"id": "BlackShades Crypter",
"display_name": "BlackShades Crypter",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 860,
"FileHash-SHA1": 488,
"FileHash-SHA256": 1407,
"domain": 226,
"hostname": 557,
"URL": 589
},
"indicator_count": 4127,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "937 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6520e93e8cf8f83a2ccfd46b",
"name": "Blackshades | Remote attacks | Malicious Google Search | DNS Requests",
"description": "Botnet Command and Control \nCobalt Strike\nMisc Attack\nHidden users\nTargets: network, url, music publishing company, artists, owner, associates, advertising, visibility, reputations, digital profile.\nCountry origination: United States",
"modified": "2023-11-06T03:00:36.709000",
"created": "2023-10-07T05:14:38.342000",
"tags": [
"noname057",
"song culture",
"brashears music",
"culture",
"tsara lynn",
"falcon sandbox",
"brashears song",
"nights",
"kedence",
"service",
"sandbox",
"cool",
"music",
"secure",
"httponly",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"misc attack",
"et tor",
"known tor",
"relayrouter",
"exit",
"node traffic",
"united",
"flag",
"contacted",
"emotet",
"NSIS",
"trellian",
"apple",
"apk",
"os",
"ios",
"android",
"google",
"Google search",
"dns",
"query",
"poisoning",
"hacking",
"injection",
"login",
"logon",
"phishing",
"scanning_host",
"VM",
"file query",
"detect",
"windir",
"api call",
"api",
"\"%WINDIR%\\System32\\vm3dum_loader.dll\" source API Call",
"\"iexplore.exe\" trying to touch file",
"attack",
"target",
"jeffrey",
"reimer",
"details \"iexplore.exe\" trying to touch file \"%WINDIR%\\System32\\v",
"suricata",
"alert",
"cyber threat",
"dpt",
"porn",
"pixelrz",
"dead",
"hifi",
"track",
"jeffrey reimer dpt",
"redirect",
"pattern match",
"tbmisch",
"contentlength",
"mcfunction",
"ck id",
"t1071",
"mitre att",
"ck matrix",
"drops",
"content reputation",
"malware",
"malvertizing",
"misc attack",
"mitre",
"file access",
"files marked clean",
"evasive",
"cisco umbrella",
"safe site",
"site",
"windows nt",
"file",
"network related",
"https webserver",
"getpost",
"get search",
"geckohost",
"jpeg image",
"jfif",
"png image",
"gif image",
"binary file",
"t1105",
"show technique",
"click",
"blacklist",
"generic malware",
"DNS Requests",
"persistence",
"gmt0600",
"programfiles",
"filename",
"indexed",
"network",
"hosts process",
"openurl c",
"prefetch2 name",
"ssl certificate",
"whois record",
"threat roundup",
"execution",
"march",
"july",
"communicating",
"october",
"september",
"referrer",
"june",
"april",
"august",
"copy",
"goldfinder",
"sibot",
"hacktool",
"february",
"skynet",
"malicious",
"download",
"malware",
"relic",
"monitoring",
"installer",
"project",
"core",
"lumma stealer",
"metro",
"Anonymizer",
"virut",
"scanning ip's",
"Cobalt Strike",
"keybase",
"spam",
"anonymisation services",
"malicious host",
"Botnet Command and Control",
"Phishing - Mr.Looquer",
"covid19 scam",
"social engineering",
"Jumpseller phishing",
"phishing: Amazon.com",
"unauthorized scanning of hosts",
"phishing huntington bank",
"malicious url",
"malicious server",
"Threats200220200050",
"ntp open resolver",
"blackshades",
"infostealer",
"rat",
"infinity",
"msil",
"adware",
"adload",
"gamarue",
"pua",
"keyloggers",
"browser malware",
"resolutions",
"whois whois",
"historical ssl",
"subdomains",
"whois siblings",
"bradesco",
"paypal phishing",
"bad traffic",
"Yandex",
"hidden users"
],
"references": [
"https://www.hybrid-analysis.com/sample/",
"https://www.google.com/search?q=tsara+brashears&tbm=isch&chips=q:tsara+brashears",
"Research and Data analysis",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://pixelrz.com/lists/keywords/tsara-brashears",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"DNS Server - Public-dns.info",
"Autonomous System",
"AS13414 Twitter Inc",
"AS32934 Facebook Inc",
"AS15133 MCI Communications Services Inc d b a Verizon Business",
"AS13335 - Cloudflare, Inc. - United States",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"wTools",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expirati",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-r https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tshttp://pixelrz.com/lists/ke"
],
"public": 1,
"adversary": "[Miscellaneous, Unnamed]",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Gen:Trojan.Heur",
"display_name": "Gen:Trojan.Heur",
"target": null
},
{
"id": "Virut",
"display_name": "Virut",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Emotet - S0367",
"display_name": "Emotet - S0367",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "GoldFinder - S0597",
"display_name": "GoldFinder - S0597",
"target": null
},
{
"id": "BlackShades Crypter",
"display_name": "BlackShades Crypter",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"Technology",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 860,
"FileHash-SHA1": 488,
"FileHash-SHA256": 1407,
"domain": 226,
"hostname": 557,
"URL": 589
},
"indicator_count": 4127,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "937 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63ee2f3a175c194201f2a350",
"name": "its all about IPTV control of you and your tv havana eat your heart out",
"description": "\u00c2\u00a31.5m worth of content on the site.\nFound potential IP address in binary/memory\ndetails\nPotential IP \"10.34.0.42\" found in string \"%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Indexed Rules\\35\\10.34.0.42\"\nPotential IP \"10.34.0.42\" found in string \"%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Subresource Filter\\Unindexed Rules\\10.34.0.42\\LICENSE\"",
"modified": "2023-03-18T12:02:10.895000",
"created": "2023-02-16T13:27:22.635000",
"tags": [
"live sport tv listing guide",
"gregor jutrisa",
"sports",
"entertainment",
"ios apps",
"app",
"appstore",
"app store",
"iphone",
"ipad",
"ipod touch",
"itouch",
"itunes",
"sport tv",
"ziggo sport",
"fox sports",
"sky sport",
"golf channel",
"eurosport",
"sport",
"football",
"baseball",
"golf",
"calendar",
"vxstream",
"localappdata",
"unicode",
"hash seen",
"runtime process",
"entropy",
"type data",
"peter selinger",
"tbody",
"span",
"tfoot",
"thead",
"button",
"multiple",
"type",
"href",
"fontawesome",
"gradienttype0",
"false",
"alpha",
"https://img2.sport-tv-guide.live/images/favicon/apple-touch-icon",
"3.0.0.0",
"10.34.0.42"
],
"references": [
"https://sport-tv-guide.live/cache/styles.min.css",
"https://img2.sport-tv-guide.live/images/favicon/site.webmanifest",
"https://img2.sport-tv-guide.live/images/favicon/safari-pinned-tab.svg",
"https://img2.sport-tv-guide.live/images/favicon/apple-touch-icon.png",
"https://hybrid-analysis.com/sample/d7b60960a563566fc4cd0bbcaf24572243c650f00b2c33cd64c4ae332256d39b/63ee1e3f52707c4ed037bf26",
"https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"sport.mobile2ads.com",
"https://hybrid-analysis.com/sample/3acc839f401ca63b99c8364e297b4f65d26e2b48f5c623dd153c8d92e1ad5ed1/63ee2381ea009a65456be633",
"https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TEL:Win32/Qjwmonkey.A",
"display_name": "TEL:Win32/Qjwmonkey.A",
"target": "/malware/TEL:Win32/Qjwmonkey.A"
},
{
"id": "PWS:Win32/VB.CU",
"display_name": "PWS:Win32/VB.CU",
"target": "/malware/PWS:Win32/VB.CU"
},
{
"id": "Win32:VB-AJKP\\ [Trj]",
"display_name": "Win32:VB-AJKP\\ [Trj]",
"target": null
},
{
"id": "Win.Malware.Swisyn-7610494-0",
"display_name": "Win.Malware.Swisyn-7610494-0",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 141,
"hostname": 29,
"URL": 151,
"domain": 45,
"FileHash-MD5": 91,
"FileHash-SHA1": 90
},
"indicator_count": 547,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1170 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64012c0424bfa1d35e1fe372",
"name": "website btn",
"description": "",
"modified": "2023-03-10T02:09:44.795000",
"created": "2023-03-02T23:06:44.906000",
"tags": [
"GKG.net",
"m.ftc.gov"
],
"references": [
"g83bf586919bf417b80338f9dd8bd45058fb96dd8bd6945e284251eff792b607b.json",
"GKG.net to m.ftc.gov"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "62f6fc91d3e6f4aed69c645f",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": true,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "1111.1111",
"id": "227366",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1994,
"FileHash-SHA256": 531,
"hostname": 554,
"domain": 760,
"CVE": 2,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 39,
"modified_text": "1178 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64012c2d348ad0aa57200260",
"name": "q",
"description": "",
"modified": "2023-03-02T23:12:29.113000",
"created": "2023-03-02T23:07:25.286000",
"tags": [
"GKG.net",
"m.ftc.gov"
],
"references": [
"g83bf586919bf417b80338f9dd8bd45058fb96dd8bd6945e284251eff792b607b.json",
"GKG.net to m.ftc.gov"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "64012c0424bfa1d35e1fe372",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "1111.1111",
"id": "227366",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1994,
"FileHash-SHA256": 531,
"hostname": 554,
"domain": 760,
"CVE": 2,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 38,
"modified_text": "1185 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63af05abbb822d1ef22cb26d",
"name": "192.168.0.86 - j2br7yp43f.dattolocal.net - malicious abuse on home router",
"description": "192.168.0.23 and 139 - www.yndesen.net - to device-local-(...)remotewd.com bad actor abusing home devices under this cloud/storage provider",
"modified": "2023-01-29T14:03:36.994000",
"created": "2022-12-30T15:37:15.190000",
"tags": [
"j2br7yp43f.dattolocal.net",
"www.yndesen.net",
"192.168.0.23",
"192.168.0139",
"192.168.0.24",
"192.168.0.86"
],
"references": [
"https://www.virustotal.com/graph/g7227176581de4678b6f3bfdeb541cbcfda2a37cf7e894b5e99575774a1969b07",
"j2br7yp43f.dattolocal.net",
"ccs01lte.vo.ca-cncx.net",
"www.concentric.com",
"5.5.6.1",
"llnwd.net",
"twitter i8n locale page error revealing pivot"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 249,
"URL": 605,
"FileHash-SHA256": 557,
"domain": 32,
"FileHash-MD5": 40,
"FileHash-SHA1": 40
},
"indicator_count": 1523,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1218 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63a857bf585af25350972d0c",
"name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS",
"description": "",
"modified": "2023-01-24T12:00:24.101000",
"created": "2022-12-25T14:01:35.401000",
"tags": [
"vb.cu",
"dns.google",
"no.ip",
"gvt1.com",
"whitelisted ip's = big problems when DNS is controlled by threat"
],
"references": [
"Chrstmas morning when you cant even look at your kids"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "nUFS_svfohigh",
"display_name": "nUFS_svfohigh",
"target": null
},
{
"id": "nUFS_7z",
"display_name": "nUFS_7z",
"target": null
},
{
"id": "KnownMaliciousObfuscation",
"display_name": "KnownMaliciousObfuscation",
"target": null
},
{
"id": "ConventionEngine_Term_Users",
"display_name": "ConventionEngine_Term_Users",
"target": null
},
{
"id": "Virus:Win32/Neverdie",
"display_name": "Virus:Win32/Neverdie",
"target": "/malware/Virus:Win32/Neverdie"
},
{
"id": "Virus:Win32/Nabucur",
"display_name": "Virus:Win32/Nabucur",
"target": "/malware/Virus:Win32/Nabucur"
},
{
"id": "APT Ransomware v.2",
"display_name": "APT Ransomware v.2",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 31,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 224,
"URL": 598,
"hostname": 222,
"FileHash-SHA256": 756,
"FileHash-MD5": 14,
"FileHash-SHA1": 14
},
"indicator_count": 1828,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1223 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63a14d861e0739ae433f59f2",
"name": "theeserver13.myftp.org - ton of game sw with free malw - c-cex.com UK game Retail Chain",
"description": "The full text of this page is published on the website of Generation-nt.com, a website based in the Czech Republic, until the end of the year of 2018, with the following:",
"modified": "2023-01-19T05:01:12.311000",
"created": "2022-12-20T05:52:06.423000",
"tags": [
"status code",
"body length",
"kb body",
"sha256",
"headers expires",
"maxage0",
"httponly",
"server",
"gmt connection",
"pragma"
],
"references": [
"51.178.73.217 Status Code 200 Body Length 157.34 KB Body SHA-256 a6724805472991179713b61ce2a77ab5bddcf4d33e04818e63d4c31ef7ba200f Headers Expires Tue, 20 Dec 2022 02:59:38 GMT Content-Encoding gzip Transfer-Encoding chunked Set-Cookie PHPSESSID=bcvp5n9l6ico8fst5ha0ca9e96; path=/, user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=generation-nt.com; secure; HttpOnly; SameSite=strict Strict-Transport-Security max-age=63072000 Vary Accept-Encoding Server nginx Last-Modified Tue, 20 ",
"https://www.virustotal.com/gui/collection/090b491fd4a8b8f7aaba4fce1c6d213dc4ff6c887cc3775acb503419ab9de439"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 309,
"URL": 571,
"domain": 233,
"FileHash-SHA256": 239,
"FileHash-MD5": 99,
"FileHash-SHA1": 98
},
"indicator_count": 1549,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1228 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "62f6fc91d3e6f4aed69c645f",
"name": "website bluetooth beacon nubotnet signed by M$",
"description": "",
"modified": "2022-09-12T00:04:46.916000",
"created": "2022-08-13T01:21:21.739000",
"tags": [
"GKG.net",
"m.ftc.gov"
],
"references": [
"g83bf586919bf417b80338f9dd8bd45058fb96dd8bd6945e284251eff792b607b.json",
"GKG.net to m.ftc.gov"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1994,
"FileHash-SHA256": 531,
"hostname": 554,
"domain": 760,
"CVE": 2,
"FileHash-MD5": 273,
"FileHash-SHA1": 253
},
"indicator_count": 4367,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1357 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "62271c27d501f2e4c04ec869",
"name": "Hartintercivic.com",
"description": "",
"modified": "2022-04-06T00:02:16.312000",
"created": "2022-03-08T09:04:39.837000",
"tags": [],
"references": [
"HARTINTERCIVIC.pdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Kailula4",
"id": "131997",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1050,
"URL": 2321,
"FileHash-SHA256": 1257,
"domain": 421,
"FileHash-MD5": 1,
"FileHash-SHA1": 14
},
"indicator_count": 5064,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 408,
"modified_text": "1516 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x",
"sport.mobile2ads.com",
"Can the DoD no questions asked target a SA victim",
"hxxps://viz.greynoise.io/analysis/0ec05e79-be67-4f45-82c4-96ca96aa007c",
"www.concentric.com",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"hattchett.ddns.net",
"Yara Detections SUSP_Imphash_Mar23_2",
"https://www.virustotal.com/gui/collection/7282647dbf53915db766e8afd03c485ab3596962670c15c427206ce174ca78f0/iocs",
"https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware",
"https://amp.hifiporn.cc/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer No Expiration http://pixelrz.com/lists/keywords/tsara-brashears-dead",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"userlocation-prod.ingress.kors.microsoft-falcon.net ->",
"choco.exe",
"AS15133 MCI Communications Services Inc d b a Verizon Business",
"x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs",
"hxxps://tria[.]ge/240604-tnwvzsce3s",
"simswap.in (possible Mirai or relationship to)",
"google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host]",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-r https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tshttp://pixelrz.com/lists/ke",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"DNS Server - Public-dns.info",
"https://hybrid-analysis.com/sample/d7b60960a563566fc4cd0bbcaf24572243c650f00b2c33cd64c4ae332256d39b/63ee1e3f52707c4ed037bf26",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://www.hybrid-analysis.com/sample/",
"https://img2.sport-tv-guide.live/images/favicon/apple-touch-icon.png",
"hxxps://lab[.]dynamite[.]ai/pcaps/ae3b422f-4d10-4ebc-bf35-5e19d0aaae75",
"5.5.6.1",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate",
"https://www.virustotal.com/graph/embed/g1283d60e0d064912af05e1ed528df7b7d1af3298065040ce9863afbea677becd?theme=dark",
"https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark",
"https://es.pornhat.com/models/the-sex-creator/",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"http://remote.edikamin.com/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
"https://www.virustotal.com/graph/g7227176581de4678b6f3bfdeb541cbcfda2a37cf7e894b5e99575774a1969b07",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom",
"Google.com sorry not sorry index | https://www.google.com/search",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"media-router-fp74.prod.media.vip.bf1.yahoo.com",
"wTools",
"https://hybrid-analysis.com/sample/3acc839f401ca63b99c8364e297b4f65d26e2b48f5c623dd153c8d92e1ad5ed1/63ee2381ea009a65456be633",
"http://pixelrz.com/lists/keywords/tsara-brashears",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/graph",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn",
"Autonomous System",
"https://img2.sport-tv-guide.live/images/favicon/site.webmanifest",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"http://pixelrz.com/lists/keywords/jeffrey-reimer-shot-dead-walgreens/",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"AS13335 - Cloudflare, Inc. - United States",
"If someone is believed to be a threat they have right to due process.",
"GKG.net to m.ftc.gov",
"https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true",
"http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer",
"https://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://hifiporn.pw/xxx/1/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video- No Expiration\t0\t URL https://archive.ph/o/jEaWf/https:/mypornvid.pw/videos/13/8thhcwahoYI/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp No Expiration\t0\t URL http://pixelrz.com/lists/%20keywords/tsara-brashears-jeffrey-reimer-porn/' No Expirati",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/iocs",
"Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"Cowrie (honeypot) - Wikipedia",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx",
"toolbarqueries.google.com.uy",
"hxxps://viz[.]greynoise[.]io/analysis/02c0537c-d5b6-4881-bdde-9ed84a978cfe",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker]",
"https://github.com/cowrie/cowrie",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"Report ID: ca0154b1-39cc-44f5-9f54-a669132dff60",
"51.178.73.217 Status Code 200 Body Length 157.34 KB Body SHA-256 a6724805472991179713b61ce2a77ab5bddcf4d33e04818e63d4c31ef7ba200f Headers Expires Tue, 20 Dec 2022 02:59:38 GMT Content-Encoding gzip Transfer-Encoding chunked Set-Cookie PHPSESSID=bcvp5n9l6ico8fst5ha0ca9e96; path=/, user=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=generation-nt.com; secure; HttpOnly; SameSite=strict Strict-Transport-Security max-age=63072000 Vary Accept-Encoding Server nginx Last-Modified Tue, 20 ",
"Target agreed and complied with all lie detector measures.",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"llnwd.net",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"I am very upset. Whoever is doing this is sick.",
"https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com",
"AS13414 Twitter Inc",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"http://deposito.hostance.net/dialer/",
"Research and Data analysis",
"https://www.virustotal.com/gui/collection/090b491fd4a8b8f7aaba4fce1c6d213dc4ff6c887cc3775acb503419ab9de439",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"j2br7yp43f.dattolocal.net",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"g83bf586919bf417b80338f9dd8bd45058fb96dd8bd6945e284251eff792b607b.json",
"Chrstmas morning when you cant even look at your kids",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc",
"https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025",
"To get future Google Chrome updates, you'll need",
"https://whois.domaintools.com/gov1.info",
"https://urlscan.io/user/submit/",
"XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv",
"https://www.google.com/search?q=tsara+brashears&tbm=isch&chips=q:tsara+brashears",
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/summary",
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/iocs",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"redirector.gvt1.com",
"httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/",
"AS32934 Facebook Inc",
"\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->",
"twitter i8n locale page error revealing pivot",
"https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"http://security.didici.cc/cve",
"https://meumundogay-com.sexogratis.page/locker",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There is fear in silence or speaking out",
"HARTINTERCIVIC.pdf",
"https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"iamrobert.com Y.A.S.",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61",
"https://sport-tv-guide.live/cache/styles.min.css",
"https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95",
"https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
"microsoft-falcon.net",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore",
"https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
"ccs01lte.vo.ca-cncx.net",
"https://www.virustotal.com/graph/embed/g0ebb8822924a4f37914ac37300f822217aa6d1d68c5346ac9daa51110b89ed43?theme=dark",
"https://img2.sport-tv-guide.live/images/favicon/safari-pinned-tab.svg",
"hxxps://app[.]any[.]run/tasks/60a27c5e-ddd3-44d8-a4af-a5f90cdd4660",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://nsa.gov1.info/utah-data-center/",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"[Miscellaneous, Unnamed]",
"Ragnar Locker | M. Brian Sabey | HallRender| Tulach | Benjamin"
],
"malware_families": [
"Win32:cabmod\\ [drp]",
"Mydoom checkin",
"Warzonerat - s0670",
"Alf:trojan:win32/cassini_f28c33a2!ibt",
"Carbanak",
"Alf:heraklezeval:trojan:win32/clipbanker , , alf:trojan:win32/autorun.pi!mtb , alf:trojan:win32/cassini_6d4ebdc9!ibt",
"Ragnar locker",
"Tel:win32/qjwmonkey.a",
"Win.trojan.agent-316098",
"Alf:trojan:win32/cassini_ade36583!ibt",
"!#addscopy-tostartup",
"Lumma stealer",
"Alf:heraklezeval:ransom:msil/gorf",
"Project nemesis",
"Virut",
"Pws:win32/vb.cu",
"Webtoolbar",
"Qbot",
"Trojandownloader:win32/banload.d",
"Cve-2023-22518",
"Apnic",
"Conventionengine_term_users",
"Generic.malware",
"Upatre",
"Alf:heraklezeval:pua:win32/keygen",
"Emotet",
"Qakbot",
"Tulach",
"Alf:win32/gbdinf_123df591.j!ibt",
"Kryptik",
"Hallrender",
"Virtool:win32/autinject.cz!bit",
"Gen:trojan.heur",
"Maltiverse",
"Gen:variant.zusy",
"Virtool:win32/injector.gen!bq",
"Banload",
"Alf:spikeaexr.secthdr",
"Blackshades crypter",
"Ransomexx",
"Worm:win32/benjamin",
"Alf:ransom:win32/babax.sg!mtb",
"Win32:vb-ajkp\\ [trj]",
"Virus:win32/nabucur",
"Nancore ray",
"Trojan:win32/startpage.aea",
"Lizar",
"Trojan:win32/diamin.f",
"Trojan:win32/mira",
"Domino",
"Nufs_7z",
"Win.malware.swisyn-7610494-0",
"Knownmaliciousobfuscation",
"Win32:evo-gen",
"Cobalt strike",
"Trojan",
"Virus:win32/neverdie",
"Azorult",
"Sabey",
"Nufs_svfohigh",
"Malware",
"Dialer",
"Hacktool",
"Rokrat",
"Trojandropper:win32/hupigon.gen!a",
"Goldfinder - s0597",
"Apt ransomware v.2",
"Emotet - s0367",
"Alf:trojan:msil/agenttesla.km",
"Worm"
],
"industries": [
"Hospitality",
"Education",
"Health",
"Insurance",
"Healthcare",
"Telecommunications",
"Media",
"Government",
"Financial",
"Technology",
"Civil society"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 48,
"pulses": [
{
"id": "69544c73467a9c3858556698",
"name": "Mira Malware Drive By Compromise Google.com search engine | Microsoft | Apple",
"description": "Microsoft Mira Malware Drive By Compromise Google.com.\n Device infected with MyDoom zombie maker. \nEstablished user location, screen captures, corrupted Apple device via Google search engine browser redirect. Attack began 12.30.2025 past midnight. Threat actor powered on cameras, microphones, and preformed their hacker intentions. #stateofcolorado",
"modified": "2026-01-29T21:02:54.448000",
"created": "2025-12-30T22:04:35.565000",
"tags": [
"content",
"kb body",
"p3p cp",
"date tue",
"gmt server",
"html info",
"12.30.2025",
"urls",
"url add",
"http",
"ip address",
"related nids",
"files location",
"united",
"flag united",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"assigned pa",
"status",
"whois server",
"ripe ncc",
"ripe network",
"abuse contact",
"orgid",
"address",
"orgabuseref",
"postalcode",
"ripe",
"email",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"ssl certificate",
"execution",
"google llc",
"ascii text",
"mitre att",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"data upload",
"extraction",
"ta0004",
"evasion ta0005",
"injection t1055",
"t1055",
"col ta0011",
"l t1071",
"encrypted ch",
"t1573",
"present nov",
"present oct",
"certificate",
"present dec",
"aaaa",
"search",
"servers",
"record value",
"emails",
"title",
"leveidiuelabs",
"include",
"review",
"exclude data",
"suggested ogs",
"find s",
"command decode",
"development att",
"initial access",
"t1189 driveby",
"html",
"execution att",
"href",
"size",
"pattern match",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"malware",
"trojan",
"mira malware",
"push",
"dynamicloader",
"windows nt",
"msie",
"wow64",
"slcc2",
"media center",
"yara rule",
"program",
"runtime error",
"medium",
"python",
"win64",
"unknown",
"guard",
"accept",
"write",
"launcher",
"updater",
"smartassembly",
"delphi",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"copy",
"next",
"mydoom checkin",
"win32mydoom dec",
"name servers",
"creation date",
"passive dns",
"domain",
"expiration date",
"hostname",
"date",
"google chrome",
"screen capture",
"locate human",
"target",
"black hat",
"apple",
"microsoft",
"google",
"stateofcolorado",
"christopher ahmann",
"brian sabey"
],
"references": [
"Google.com sorry not sorry index | https://www.google.com/search",
"cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc 2025",
"redirector.gvt1.com",
"Names: cb=loaded_h_0&sei=7xhUabPOD4LmwN4P57CMuQc",
"microsoft-falcon.net",
"hattchett.ddns.net",
"Office Open XML Spreadsheet: jnlwore.exe \u2022 Office Open: XML Spreadsheet \u2022 logs.xlsx",
"XML: sharedStrings.xml \u2022Text: blacklist-6649dcf91af1d.csv",
"https://www.virustotal.com/gui/file/de41f4d690511126ce2b8b5df3c0ffdde792df495ea6bb9fe2fec5f8b175e408/summary",
"x-hallmonitor-challenge CgwI-LPQygYQwp6yigISBGuywgs",
"https://www.google.com/sorry/index \u2022 http://g.co/p3p...-> g.co",
"https://7849f20f.open.convertkit-mail2.com/68une4gx9xi8h50394ziohpe59okkh9hdg44x",
"Microsoft Corporation: FileVersion: 1.0.0.155 Microsoft Corporation Legal Trademark: Mira Malware",
"Yara Detections SUSP_Imphash_Mar23_2",
"https://otx.alienvault.com/indicator/hostname/mx-in-ma.apple.com",
"userlocation-prod.ingress.kors.microsoft-falcon.net ->",
"\u4e3b\u9875\uff0c\u6574\u4e2a\u4e16\u754c X + < \u2192 C \u2022 hao.360.com/?src=lm&ls=n6abbbb598c ->",
"To get future Google Chrome updates, you'll need"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Trojan:Win32/Mira",
"display_name": "Trojan:Win32/Mira",
"target": "/malware/Trojan:Win32/Mira"
},
{
"id": "Upatre",
"display_name": "Upatre",
"target": null
},
{
"id": "Mydoom Checkin",
"display_name": "Mydoom Checkin",
"target": null
}
],
"attack_ids": [
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1608.004",
"name": "Drive-by Target",
"display_name": "T1608.004 - Drive-by Target"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1048.001",
"name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1939,
"hostname": 1205,
"URL": 3310,
"domain": 432,
"FileHash-MD5": 396,
"CIDR": 3,
"email": 16,
"FileHash-SHA1": 373,
"SSLCertFingerprint": 13,
"CVE": 1
},
"indicator_count": 7688,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "121 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66538f4db3a8cf5fb35edbd7",
"name": "IOCs sampled w. Any[.]runs sandbox from 'logging into my UAlberta account'",
"description": "UAlberta - IOCs sampled from Any[.]Runs VM Sandbox to extract IOCs from the act of 'logging into my U of A Gmail Account' (Rogue), further analysis conducted on pcap file.\n\n-05.26.24: Need to upload pcap file IOCs (Done & Retested on 06.04.24)\n\n-CVE 2016-0101, CVE 2004-0932",
"modified": "2025-10-16T15:04:01.169000",
"created": "2024-05-26T19:36:45.007000",
"tags": [
"please",
"javascript",
"relaystatehttps",
"UAlberta"
],
"references": [
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/iocs",
"https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e/graph",
"https://www.virustotal.com/gui/collection/7282647dbf53915db766e8afd03c485ab3596962670c15c427206ce174ca78f0/iocs",
"hxxps://tria[.]ge/240604-tnwvzsce3s",
"hxxps://viz[.]greynoise[.]io/analysis/02c0537c-d5b6-4881-bdde-9ed84a978cfe",
"Report ID: ca0154b1-39cc-44f5-9f54-a669132dff60",
"hxxps://lab[.]dynamite[.]ai/pcaps/ae3b422f-4d10-4ebc-bf35-5e19d0aaae75",
"hxxps://app[.]any[.]run/tasks/60a27c5e-ddd3-44d8-a4af-a5f90cdd4660",
"https://www.virustotal.com/graph/embed/g1283d60e0d064912af05e1ed528df7b7d1af3298065040ce9863afbea677becd?theme=dark",
"hxxps://viz.greynoise.io/analysis/0ec05e79-be67-4f45-82c4-96ca96aa007c",
"https://urlscan.io/user/submit/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 29,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 128,
"FileHash-MD5": 12,
"FileHash-SHA1": 12,
"FileHash-SHA256": 635,
"URL": 250,
"hostname": 235,
"CIDR": 27
},
"indicator_count": 1299,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68bbf3e40e3ce8a74aa89545",
"name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang",
"description": "",
"modified": "2025-10-06T08:03:23.285000",
"created": "2025-09-06T08:42:12.787000",
"tags": [
"present feb",
"united",
"a domains",
"present dec",
"passive dns",
"moved",
"script domains",
"script urls",
"search",
"title",
"date",
"http traffic",
"http get",
"match info",
"downloads",
"info",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"protocol t1095",
"get http",
"dns resolutions",
"number",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"corporation cus",
"algorithm",
"cnamazon rsa",
"m03 oamazon",
"thumbprint",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"ascii text",
"ogoogle trust",
"cngts ca",
"execution",
"next",
"dock",
"write",
"capture",
"persistence",
"malware",
"roboto",
"android",
"known exploited",
"google",
"salesloft drift",
"sap s4hana",
"cve202542957",
"cisa",
"sitecore",
"linux",
"france",
"meta",
"rokrat",
"lizar",
"project nemesis",
"carbanak",
"cobalt strike",
"domino",
"yara detections",
"contacted",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"malicious ids",
"detections tls",
"indicator role",
"title added",
"active related",
"entries",
"role title",
"added active",
"filehashmd5",
"ipv4"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Lizar",
"display_name": "Lizar",
"target": null
},
{
"id": "Project Nemesis",
"display_name": "Project Nemesis",
"target": null
},
{
"id": "Carbanak",
"display_name": "Carbanak",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Domino",
"display_name": "Domino",
"target": null
},
{
"id": "RokRAT",
"display_name": "RokRAT",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
}
],
"industries": [
"Hospitality",
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 539,
"FileHash-SHA1": 389,
"FileHash-SHA256": 3386,
"domain": 862,
"hostname": 1155,
"URL": 4091,
"CVE": 3,
"SSLCertFingerprint": 5
},
"indicator_count": 10430,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "237 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "246 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68451577ada8bb0aa0834edb",
"name": "X - Business Social Media Account used to attack victim",
"description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
"modified": "2025-07-08T04:03:04.386000",
"created": "2025-06-08T04:45:43.423000",
"tags": [
"trojan",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"upxoepplace",
"pulses none",
"related tags",
"none file",
"markus",
"april",
"win32",
"copy",
"usvwu",
"usvw",
"high",
"medium",
"show",
"uss c",
"binary file",
"yara",
"write",
"delphi",
"enigma",
"present mar",
"aaaa",
"united",
"passive dns",
"date",
"present nov",
"moved",
"urls",
"creation date",
"entries",
"body",
"trojandropper",
"susp",
"msr jul",
"next associated",
"pulse pulses",
"mtb jun",
"backdoor",
"content length",
"html document",
"ascii text",
"search",
"internalname",
"entries pe",
"showing",
"filehash",
"md5 add",
"av detections",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"size",
"encrypt",
"june",
"hybrid",
"local",
"path",
"click",
"twitter",
"strings",
"url https",
"url http",
"report spam",
"created",
"hours ago",
"bad actor",
"ck ids",
"t1057",
"discovery",
"t1071",
"amer",
"ipv4",
"indicator role",
"title added",
"active related",
"pulses",
"china",
"hong kong",
"russia",
"type indicator",
"role title",
"added active",
"related pulses",
"pulses url",
"filehashsha256",
"url add",
"http",
"ip address",
"related nids",
"files location",
"flag united",
"domain",
"hostname",
"next",
"filehashmd5",
"protocol",
"t1105",
"tool transfer",
"t1480"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 637,
"FileHash-SHA1": 639,
"FileHash-SHA256": 5380,
"domain": 676,
"hostname": 1120,
"URL": 1031,
"SSLCertFingerprint": 4
},
"indicator_count": 9487,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "327 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "679bdc31d9d93849b69ad652",
"name": "Google Pixel Sample 2 - 01.30.25 (unenriched)",
"description": "Google Pixel Device (Telus ISP, Protected by Norton/Lifelock)\nIOCs collected from Bitdefender Gravity Zone\n\nMight need to edit this pulse later - I think some things were imported from not just sample Pixel Device, but Sample iOS Device too (Either way IOCs from Gravity Zone from Both Devices - 'apps' would just be missing from iOS Device) - will edit later",
"modified": "2025-03-01T20:02:53.112000",
"created": "2025-01-30T20:08:17.972000",
"tags": [
"silent alert",
"pending",
"access",
"site blocked",
"host site",
"unknown",
"pdf file",
"initial access",
"persistence",
"collection",
"impact",
"execution",
"music",
"service",
"pass",
"Google",
"Pixel",
"Gravityzone",
"Apple",
"Telus",
"Norton"
],
"references": [
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/iocs",
"https://www.virustotal.com/graph/embed/g0ebb8822924a4f37914ac37300f822217aa6d1d68c5346ac9daa51110b89ed43?theme=dark",
"https://www.virustotal.com/gui/collection/7abd6a8d54244cffa20cac97fbc790ac3fb01a5f369ce53430fa1ace25d48589/summary"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Technology",
"Government",
"Healthcare",
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 207,
"FileHash-SHA1": 31,
"FileHash-SHA256": 563,
"email": 2,
"hostname": 201,
"URL": 4604,
"domain": 92
},
"indicator_count": 5700,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "455 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f3e394bcf868816a29c2dc",
"name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton",
"description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.",
"modified": "2024-11-02T15:05:54.240000",
"created": "2024-03-15T05:58:44.839000",
"tags": [
"ISP",
"Google",
"Telus",
"Norton",
"Pixel"
],
"references": [
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs",
"https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark",
"https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark",
"https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark",
"https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark",
"https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark",
"https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph",
"",
"https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details",
"https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network",
"http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"TLP": "green",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 3,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1231,
"FileHash-SHA1": 1215,
"FileHash-SHA256": 99653,
"URL": 158638,
"domain": 49468,
"hostname": 77233,
"email": 6,
"CIDR": 5450,
"CVE": 55
},
"indicator_count": 392949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "574 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "660b176a98b0c92ba5a962bc",
"name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise",
"description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.",
"modified": "2024-09-04T05:01:56.993000",
"created": "2024-04-01T20:22:02.851000",
"tags": [
"BEC"
],
"references": [
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary",
"https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs",
"https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark",
"https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark",
"https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore",
"https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom",
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada",
"United States of America",
"Netherlands"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 233,
"FileHash-SHA1": 230,
"FileHash-SHA256": 6703,
"URL": 4450,
"CIDR": 3,
"domain": 6223,
"hostname": 2863,
"email": 7,
"CVE": 53
},
"indicator_count": 20765,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "634 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "remail.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "remail.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780237497.4118037
}