{ "type": "Domain", "indicator": "thirdgenerationtitle.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/thirdgenerationtitle.com", "alexa": "http://www.alexa.com/siteinfo/thirdgenerationtitle.com", "indicator": "thirdgenerationtitle.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3735793131, "indicator": "thirdgenerationtitle.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6846331d1a2e3e23e0586bca", "name": "AS401120 cheapy_host LLC", "description": "", "modified": "2026-02-05T02:13:45.169000", "created": "2025-06-09T01:04:29.847000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3866, "domain": 7798, "hostname": 1420, "FileHash-SHA256": 272, "CVE": 2 }, "indicator_count": 13358, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d053a935bf99f5263deb57", "name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses", "description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T06:35:21.666000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d0a9c7f1b04296d9b0d803", "name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses", "description": "", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T12:42:47.334000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65d053a935bf99f5263deb57", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654c7fff0b1e51ee3fb64974", "name": "URLSCAN.IO", "description": "", "modified": "2023-12-25T21:21:00.638000", "created": "2023-11-09T06:45:19.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1287, "URL": 1978, "FileHash-SHA256": 1354, "FileHash-MD5": 246, "FileHash-SHA1": 246, "domain": 970, "CVE": 1, "email": 37 }, "indicator_count": 6119, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654db0c2599239b37590c980", "name": "URLSCAN.IO", "description": "", "modified": "2023-12-09T10:05:51.484000", "created": "2023-11-10T04:25:38.195000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "654c7fff0b1e51ee3fb64974", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1287, "URL": 1977, "FileHash-SHA256": 1354, "FileHash-MD5": 246, "FileHash-SHA1": 246, "domain": 970, "CVE": 1, "email": 37 }, "indicator_count": 6118, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d398ca8c61f2e9e04b8fe2", "name": "ztomy.com", "description": "malware\ninfo\npups\nphishing sites\nam cst\nshadowwhisperer\ncurl\nwget", "modified": "2023-08-09T13:46:50.090000", "created": "2023-08-09T13:46:50.090000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 85, "hostname": 97, "URL": 261, "FileHash-SHA256": 20 }, "indicator_count": 463, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "984 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342", "gameskinny.com", "http://sniper.debugger.ru", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "uat.identityssl.newscdn.com.au", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "www.historykillerpro.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Lazarus", "Little", "Hallrender", "Lolkek", "Brashears", "Sabey", "Makop ransomware", "Variant.zusy.572 checkin", "Win.trojan.agent-1372316", "Trojandownloader:win32/neojit.a", "Hacktool", "Ransomware", "Win32:delf-ses\\ [trj]" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6846331d1a2e3e23e0586bca", "name": "AS401120 cheapy_host LLC", "description": "", "modified": "2026-02-05T02:13:45.169000", "created": "2025-06-09T01:04:29.847000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3866, "domain": 7798, "hostname": 1420, "FileHash-SHA256": 272, "CVE": 2 }, "indicator_count": 13358, "is_author": false, "is_subscribing": null, "subscriber_count": 177, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d053a935bf99f5263deb57", "name": "History Killer Pro Injection deleting virustotal & otx.alienvault Pulses", "description": "History killer pro, is being used to delete and modify virustotal nodes and 41 otx.alienvault pulses. Junk data is being used to fill in missing pulses.\nTargeted: 1 callmeDoris several scoreblue (sometimes I clone pulses) Octoseek. \npulses.\nHallrender, Metro by T-Mobile, https://myaccount.uscis.gov/, Esurance, 40 pule reports are regarding Tsara Brashears cyber bully campaign which attacked the corporates mentioned except 2 AIG and Hallrender attackers. 100's of other modifications, deletions by another tool affecting several users.", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T06:35:21.666000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d0a9c7f1b04296d9b0d803", "name": "History Killer Pro Injection deleting VirusTotal & OTX.AlienVault Pulses", "description": "", "modified": "2024-03-18T04:01:27.756000", "created": "2024-02-17T12:42:47.334000", "tags": [ "contacted", "execution", "january", "september", "whois record", "resolutions", "communicating", "roundup", "highly targeted", "phishing", "quasar", "malware", "open", "threat roundup", "referrer", "remote", "kimsuky", "passive dns", "urls", "dive domains", "creation date", "search", "record value", "date", "united", "scan endpoints", "all scoreblue", "unknown", "body", "brian sabey", "hall render", "reinsurance", "state", "danger", "threat", "critical", "crypthashdata", "read c", "tcmiheijkmutcix", "entries", "show", "t1055", "intel", "ms windows", "delphi", "win32", "copy", "write", "injection", "zusy", "neojit", "cyber stalking", "worker", "inject", "illegal", "tampering", "hijacker", "delete", "ret hat", "stalker", "shadow", "quasi" ], "references": [ "www.historykillerpro.com", "https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com", "http://sniper.debugger.ru", "Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7", "M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Variant.Zusy.572 Checkin", "display_name": "Variant.Zusy.572 Checkin", "target": null }, { "id": "TrojanDownloader:Win32/Neojit.A", "display_name": "TrojanDownloader:Win32/Neojit.A", "target": "/malware/TrojanDownloader:Win32/Neojit.A" }, { "id": "Win32:Delf-SES\\ [Trj]", "display_name": "Win32:Delf-SES\\ [Trj]", "target": null }, { "id": "Win.Trojan.Agent-1372316", "display_name": "Win.Trojan.Agent-1372316", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65d053a935bf99f5263deb57", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1915, "FileHash-MD5": 437, "FileHash-SHA1": 435, "FileHash-SHA256": 3054, "domain": 987, "URL": 5902, "email": 1, "CVE": 1 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "762 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654c7fff0b1e51ee3fb64974", "name": "URLSCAN.IO", "description": "", "modified": "2023-12-25T21:21:00.638000", "created": "2023-11-09T06:45:19.930000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1287, "URL": 1978, "FileHash-SHA256": 1354, "FileHash-MD5": 246, "FileHash-SHA1": 246, "domain": 970, "CVE": 1, "email": 37 }, "indicator_count": 6119, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654db0c2599239b37590c980", "name": "URLSCAN.IO", "description": "", "modified": "2023-12-09T10:05:51.484000", "created": "2023-11-10T04:25:38.195000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "654c7fff0b1e51ee3fb64974", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1287, "URL": 1977, "FileHash-SHA256": 1354, "FileHash-MD5": 246, "FileHash-SHA1": 246, "domain": 970, "CVE": 1, "email": 37 }, "indicator_count": 6118, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d398ca8c61f2e9e04b8fe2", "name": "ztomy.com", "description": "malware\ninfo\npups\nphishing sites\nam cst\nshadowwhisperer\ncurl\nwget", "modified": "2023-08-09T13:46:50.090000", "created": "2023-08-09T13:46:50.090000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 85, "hostname": 97, "URL": 261, "FileHash-SHA256": 20 }, "indicator_count": 463, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "984 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "thirdgenerationtitle.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "thirdgenerationtitle.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776641628.0850065 }