{ "type": "Domain", "indicator": "thingspeak.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thingspeak.com", "alexa": "http://www.alexa.com/siteinfo/thingspeak.com", "indicator": "thingspeak.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain thingspeak.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3857453562, "indicator": "thingspeak.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 187223, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: kramtechnology.com", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "Ransom: message.htm.com", "https://shift.gearboxsoftware.com/link", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.turbo.net/run/videolan/vlc", "Botnet Server IP: 141.226.230.48", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "https://api.wavebrowserbase.com", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before .", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "newrelic.se", "Ryuk: http://kramtechnology.com/", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Colorado Quasi Government | Workerk Compensation" ], "malware_families": [ "Dorv", "Cve-2022-26134", "Maltiverse", "Muldrop", "Win.trojan.starter-171", "Pws:win32/zbot.ms!mtb", "Worm:win32/mofksys.rnd!mtb", "Cve-2023-4966", "Cl0p", "Gravityrat", "Alf:heraklezeval:trojan:msil/gravityrat!rfn", "Win.ransomware.msilzilla-10014498-0", "Trojan:win32/zombie", "Upatre", "Nemucod", "Trojandropper:win32/vb.il", "Win.malware.pits-10035540-0", "Berbew", "Win.trojan.barys-10005825-0", "Backdoor:win32/berbew.aa!mtb", "Exploit:linux/cve-2017-17215", "Generic", "Ransom:win32/cve-2017-0147", "Zombie", "Win.trojan.generic-9878032-0", "Trojan:msil/agenttesla.dw!mtb", "Trojanspy", "Win.exploit.rozena-10038302-0" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "690a2c38de1708af54217faa", "name": "Access Token used to steal security credentials & hack and ride DND of targeted individuals", "description": "- https://shift.gearboxsoftware.com/link\n- Found embedded in targets phone.\n\nAccess Token used to steal security credentials & hack and ride DND of targeted individuals device. \nTAM Legal \u2022 Tulach \u2022 Hall Render \u2022 Quasi Government | Some type of Foundry user account found. \n\nStop illegally \n stalking, harassment, attempts, hacking, death threats. . Because the Colorado government allowing entities like this to operate without any type of rules, oversight or boundaries \nMILLION$ were wasted in your own fraud, waste in abuse scheme. AT&T , CrowdStrike , United Healthcare , UC Healthcare, Intermountain Health, T-Mobile, Amazon East, the Colorado Government itself, Medicare and Medicaid. For what? You have zero talent so you take it from those who do. You have nothing coming to you so you steal it from those who do. Is this somehow legal? \n#contacted #all_hosts backdoor #ransomware #cve #usa #american_terrorists #workers_compenstation_abuse #silencing #targeting #hitmen #illegal #malvertizing #aws_dns", "modified": "2025-12-04T15:01:02.531000", "created": "2025-11-04T16:39:20.035000", "tags": [ "present aug", "moved", "encrypt", "present jul", "passive dns", "ipv4 add", "reverse dns", "united states", "present may", "ip address", "gmt content", "ipv4", "all ipv4", "america", "united", "present oct", "name servers", "redacted for", "emails", "for privacy", "unknown ns", "unknown aaaa", "dynamicloader", "focus region", "unicode text", "utf16", "ms windows", "bokeh onlycanon", "zeiss jena", "mcsonnar", "high", "win64", "stream", "write", "smartassembly", "trailer", "next", "search", "medium", "as15169", "write c", "reads", "team", "malware", "local", "yara detections", "delphi", "strings", "dcom", "form", "trojandropper", "mtb nov", "backdoor", "otx telemetry", "trojan", "type", "data upload", "extraction", "ol rop", "hash avast", "avg clamav", "msdefender nov", "win32upatre nov", "win32berbew nov", "dynamic", "pe section", "error", "close", "status", "urls", "expiration date", "hostname", "url analysis", "yara rule", "show", "binary file", "wine emulator", "mtb oct", "files", "denmark asn", "as32934", "candyopen", "possible", "smoke loader", "trojanspy", "filehash", "pulses otx", "related tags", "file type", "no analysis", "available", "api key", "screenshots", "present nov", "aaaa", "mtb may", "mexico", "hostname add", "registrar", "domain add", "location united", "email add", "none related", "domains", "email domain", "service", "domain", "america flag", "body", "title", "aws dns", "next associated", "risepro", "guard", "v full", "reports v", "t1059 shared", "modules", "t1129 system", "t1569", "help v", "t1179 boot", "logon autost", "encoding", "packing f0001", "hidden files", "e1203 windows", "file attributes", "registry value", "catalog tree", "analysis ob0001", "evasion b0003", "virtual machine", "ip traffic", "memory pattern", "pattern urls", "tls sni", "get https", "post https", "named pipe", "delete c", "radar", "defender", "format", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "country", "contacted hosts", "process details", "flag", "globalc", "intel", "win32", "worm", "path", "explorer", "script", "href", "external", "html content", "tulach", "hallrender", "tam legal", "brian sabey", "christopher ahmann", "apple", "msie", "chrome", "ascio", "creation date", "date", "germany unknown", "germany asn", "files ip", "address", "asn as24940", "less", "script urls", "a domains", "prox", "dennis schrder", "meta", "apache", "99u25f.exe", "entries", "as24940 hetzner", "dns resolutions", "status code", "body length", "kb body", "software/ hardware", "external-resources", "password-input", "overview", "colorado" ], "references": [ "https://shift.gearboxsoftware.com/link", "https://tulach.cc/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 alohatube.xyz \u2022 1001pornvideos.com", "x402.porn \u2022 http://alohatube.xyz/search/tsara-brashears \u2022 \thttps://ufovpn.io/blog/is-eporner-safe", "https://www.turbo.net/run/videolan/vlc", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://www.xlabs.com.br/blog/cve-2013-3304-dell-equallogic-directory-traversal/ \u2022 http://cve.phidias.com/", "Overview \"Keeping money\" by the Colorado workers' compensation system can refer to", "legal deductions, legitimate reasons for payment delays or denial, or potential issues that require legal", "counsel. The system does not \"keep\" money without a valid reason.Lies. they\u2019ve Ben in trouble before ." ], "public": 1, "adversary": "Colorado Quasi Government | Workerk Compensation", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Generic-9878032-0", "display_name": "Win.Trojan.Generic-9878032-0", "target": null }, { "id": "Win.Trojan.Starter-171", "display_name": "Win.Trojan.Starter-171", "target": null }, { "id": "GravityRAT", "display_name": "GravityRAT", "target": null }, { "id": "Backdoor:Win32/Berbew.AA!MTB", "display_name": "Backdoor:Win32/Berbew.AA!MTB", "target": "/malware/Backdoor:Win32/Berbew.AA!MTB" }, { "id": "Trojan:MSIL/AgentTesla.DW!MTB", "display_name": "Trojan:MSIL/AgentTesla.DW!MTB", "target": "/malware/Trojan:MSIL/AgentTesla.DW!MTB" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn", "target": null }, { "id": "Trojandropper:Win32/VB.IL", "display_name": "Trojandropper:Win32/VB.IL", "target": "/malware/Trojandropper:Win32/VB.IL" }, { "id": "Nemucod", "display_name": "Nemucod", "target": null }, { "id": "Berbew", "display_name": "Berbew", "target": null }, { "id": "PWS:Win32/Zbot.MS!MTB", "display_name": "PWS:Win32/Zbot.MS!MTB", "target": "/malware/PWS:Win32/Zbot.MS!MTB" }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Upatre", "display_name": "Upatre", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Exploit.Rozena-10038302-0", "display_name": "Win.Exploit.Rozena-10038302-0", "target": null }, { "id": "Zombie", "display_name": "Zombie", "target": null }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Dorv", "display_name": "Dorv", "target": null }, { "id": "Win.Malware.Pits-10035540-0", "display_name": "Win.Malware.Pits-10035540-0", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "Exploit:Linux/CVE-2017-17215", "display_name": "Exploit:Linux/CVE-2017-17215", "target": "/malware/Exploit:Linux/CVE-2017-17215" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6051, "hostname": 2627, "FileHash-MD5": 401, "FileHash-SHA1": 257, "email": 11, "domain": 1838, "FileHash-SHA256": 1742, "CVE": 4, "SSLCertFingerprint": 3 }, "indicator_count": 12934, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f55ed2015e05ffbc2b72a8", "name": "Control Server | Browser Install| Kernel Modules and Extensions", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-16T08:56:50.387000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f980471600645142bcd924", "name": "Control Server | Browser Install| Kernel Modules and Extensions ", "description": "", "modified": "2024-04-15T08:03:32.381000", "created": "2024-03-19T12:08:39.100000", "tags": [ "hostname", "sort", "domain", "type", "hostname c", "all octoseek", "groups", "search filter", "time", "x show", "indicator type", "cidr", "for privacy", "unknown", "united", "link", "search", "servers", "strapi app", "passive dns", "urls", "date", "body", "meta", "span", "next", "octoseek", "url https", "url http", "role title", "added active", "execution", "ssl certificate", "whois record", "contacted", "pe resource", "bundled", "historical ssl", "referrer", "communicating", "collections", "status", "emails", "creation date", "record value", "expiration date", "showing", "threat analyzer", "threat", "iocs", "hostnames", "urls https", "samples", "firehol", "proxy", "detection list", "ip address", "blacklist", "malicious url", "anonymizer", "botnet command", "malware", "generic malware", "count blacklist", "no data", "tag count", "detection", "count", "generic", "blacklist http", "cisco umbrella", "site", "heur", "safe site", "malware site", "alexa top", "million", "filerepmetagen", "filerepmalware", "artemis", "presenoker", "unsafe", "riskware", "crack", "opencandy", "downloader", "coinminer", "installpack", "agent", "fusioncore", "conduit", "wacatac", "zbot", "cl0p", "maltiverse", "trojanspy", "engb", "emotet", "cyberwar", "ursnif", "attack", "hacktool", "ransomexx", "startpage", "bitrat", "ryuk", "agent tesla", "stealer", "critical", "copy", "evilnum", "threat report", "back", "ip summary", "url summary", "summary", "download csv", "download", "json sample", "malicious site", "phishing site", "iframe", "domaiq", "alexa", "downldr", "phishing", "cyber threat", "control server", "team", "installcore", "mirai", "pony", "nanocore", "bradesco", "cobalt strike", "bank", "name verdict", "falcon sandbox", "reports", "falcon", "traffic et", "policy windows", "update p2p", "activity", "windir", "mitre att", "ck id", "show technique", "ck matrix", "hybrid", "general", "path", "click", "strings", "contact", "paste", "win32", "gmt content", "scan endpoints", "ipv4", "pulse pulses", "files", "accept", "date hash", "avast avg", "entries", "as15169 google", "aaaa", "ireland unknown", "germany unknown", "as43350 nforce" ], "references": [ "https://api.wavebrowserbase.com", "Ransom: message.htm.com", "ZBot: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzl0WlhSaGJtOXBZV1pwYm1GdVkybGhiQzVqYjIxY0x6OTFkRzFmYzI5MWNtTmxQV1Z0WVdsc1gzTnBaMjVoZEhWeVpTWmhiWEE3ZFhSdFgyMWxaR2wxYlQxbGJXRnBiQ1poYlhBN2RYUnRYMk5oYlhCaGFXZHVQWEJ5YjIxdmRHbHZiaUlzSW1oaGMyZ2lPaUkwTjFGWlUzZFlTMkYxVDA1dVIxb2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2lhbWx0YlhrdWQyRnNhMlZ5UUdGc2JITjBZWFJsTG1OdmJTSjk9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOXRaWFJoYm05cFlX", "Ryuk: https://brain.snappykraken.com/api/v1/events-recorder/clicked?clicked=eyJxdWVyeV9zdHJpbmciOiJkako3SW5WeWJDSTZJbWgwZEhCek9sd3ZYQzkzZDNjdWEybHdiR2x1WjJWeUxtTnZiVnd2WldOdmJtOXRhV010Wm05eVpXTmhjM1J6WEM5cGJuUmxjbVZ6ZEMxeVlYUmxjeUlzSW1oaGMyZ2lPaUpzYmtJMWFUSjJkbmRvU21GQ1RuZ2lMQ0pqYjI1MFlXTjBYMlZ0WVdsc0lqb2liV052ZUVCdGIzSnlhWE56WlhsbGJtZHBibVZsY21sdVp5NWpiMjBpZlE9IiwicmVxdWVzdF9kYXRhIjp7ImRqSjdJblZ5YkNJNkltaDBkSEJ6T2x3dlhDOTNkM2N1YTJsd2JHbHVaMlZ5TG1OdmJWd3ZaV052Ym05dGFXTXRabTl5WldOaGMzUnpYQzlwYm5SbGNtVnpkQzF5", "Ryuk: http://kramtechnology.com/", "Ryuk: kramtechnology.com", "Pony: https://allspice.ordavida.com/api/mailings/opened/PMRGSZBCHIYTMNZQGYWCE33SM4RDUIRZGQZDONDBGIZC2MBXMM2S2NBYMM2S2YTEHE3C2MJZGI4DSOBYHAYTGNRZEIWCE5TFOJZWS33OEI5CENBCFQRHG2LHEI5CEYSPONYXS4RRGFBUIY3DKRIHSSRRK44WSY3FNM4ESVTJKZMHOWRTJBLXIYLIHFRWS3DUKU6SE7I=.gif", "Botnet Server IP: 141.226.230.48", "newrelic.se" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1547.006", "name": "Kernel Modules and Extensions", "display_name": "T1547.006 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "green", "cloned_from": "65f55ed2015e05ffbc2b72a8", "export_count": 187223, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9838, "domain": 2085, "hostname": 3006, "FileHash-SHA256": 3685, "FileHash-MD5": 965, "FileHash-SHA1": 532, "email": 6, "CVE": 7 }, "indicator_count": 20124, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "735 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thingspeak.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thingspeak.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776718229.8980622 }