{ "type": "Domain", "indicator": "wiseestimating.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/wiseestimating.com", "alexa": "http://www.alexa.com/siteinfo/wiseestimating.com", "indicator": "wiseestimating.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3681319076, "indicator": "wiseestimating.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "655 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646562323df8ec74e628e6a0", "name": "URLHaus data - 17-05-2023", "description": "", "modified": "2023-06-23T22:19:18.469000", "created": "2023-05-17T23:24:34.238000", "tags": [ "32-bit", "elf", "mips", "Mozi", "zip", "arm", "mirai", "shellscript", "1234", "7z", "Password-protected", "ascii", "NetSupport", "powershell", "ps", "rat", "dropped-by-PrivateLoader", "encrypted", "exe", "Formbook", "PowerShellDiscordKeyLogger", "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA", "qbot", "dropped-by-SmokeLoader", "Loki", "opendir", "RedLine", "RemcosRAT", "Arechclient2", "AgentTesla", "doc", "RedLineStealer", "LummaStealer", "ArkeiStealer", "dll", "Stealc", "dropped-by-amadey", "hajime", "ua-ps", "32", "gafgyt", "Lumma", "Amadey", "AsyncRAT", "lnk", "Vidar", "quasar", "64-bit", "x86-64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 880, "hostname": 8, "domain": 355 }, "indicator_count": 1243, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1072 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64640f71292ec3dad3e443e0", "name": "URLHaus data - 16-05-2023", "description": "", "modified": "2023-05-16T23:19:13.634000", "created": "2023-05-16T23:19:13.634000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "hajime", "BB28", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "PowerShellSMTPKeyLogger", "32", "Amadey", "exe", "64", "pw-2023", "rar", "pw-2022", "dropped-by-PrivateLoader", "encrypted", "1234", "7z", "Password-protected", "pw-1515", "dll", "ua-ps" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 133, "domain": 614, "hostname": 1 }, "indicator_count": 1748, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "How about stop harming people", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "message.htm.com [Ransom | Malware Spreader]", "https://urlhaus.abuse.ch/browse/", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "Amadey: IP 104.26.5.15", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "godaddy.com \u2022 prod.phx3.secureserver.net", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "#lowfienabledtcontinueafterunpacking", "Trojan.win32.snovir.kfmibf", "Emotet", "Amadey" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "65eb9b88c811f35e060a2aa5", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Crimes of Tracey Richter\"", "description": "", "modified": "2024-08-14T06:01:01.267000", "created": "2024-03-08T23:13:12.950000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65ea64dbc3938c6472fd5e7b", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 120, "FileHash-SHA256": 1086, "URL": 391, "domain": 285, "hostname": 369, "email": 1 }, "indicator_count": 2373, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "655 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e843669f4ba77affa4b297", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "description": "303 Error redirect target to desired service. | Likely using infected, updated apple Product. | Jays Youtube Bot.exe found. | Target saw episode subject, was suspicious due to 'diabolical women' connection promoted by Rexxfield[.] com (Tracey Richters ex-husband). I believe she was framed as is target I have come across. YouTube accounts are only told from the perspective of 2 ex-husbands, 1 doctor, 1 hacker and dentist[assaulter] who abused power. This trap makes targets look crazy, non credible leaving them traumatized. Attorneys or law enforcement likely overwhelmed, wild stories. I often consider truth is can be much stranger than fiction. Fiction often loosely based on truth.", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-06T10:20:22.440000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea64dbc3938c6472fd5e7b", "name": "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\" Crimes of Tracey Richter", "description": "", "modified": "2024-04-05T09:00:01.502000", "created": "2024-03-08T01:07:39.514000", "tags": [ "communicating", "replacement", "unauthorized", "cyber attack", "emotet", "suspicious", "ransom", "Jays Youtube Bot.exe", "united", "unknown", "passive dns", "gmt server", "gmt etag", "accept encoding", "scan endpoints", "all octoseek", "ipv4", "pulse submit", "accept", "pragma", "injection", "downloader", "as44273 host", "search", "record value", "status", "nxdomain", "content type", "next", "body", "entries", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "pur sta", "win32", "as15169 google", "aaaa", "domain", "pulse pulses", "urls", "contacted", "contacted urls", "whois whois", "pcname", "machinename", "execution", "bundled", "whois sneaky", "smokeloader", "amadey", "android", "youtube", "darklivity podcast", "tracey richter", "michael roberts", "server redirect", "hacking", "botnet", "application/binary", "jomax", "early, iowa", "hacker", "ruthless", "colorado", "pitman and or dentist hired roberts obvi", "song culture", "tsara brashears" ], "references": [ "www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Songculture linked to Darklivity Podcast", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2 [https://b.link/infringementhttps://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2]", "message.htm.com [Ransom | Malware Spreader]", "Ransom: FileHash-MD5 cece27e27fcad115504a2dc155358dae", "Ransom: FileHash-SHA1 90f739d446a6cab0a73086e56b1473e3c05ab752", "Ransom: FileHash-SHA256 c2f7df5c2fd585ba533fca2c2f1933bec36c4713ed5351a3656ddefee71c4cea", "Tracey Richter Roberts convicted murderer framed IMO] Michael Roberts suspect [self promoting hacker/PI]", "Jays Youtube Bot.exe: FileHash-SHA256 00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5 \u2022 303 status redirect to Bot server.", "host.secureserver.net \u2022 htm.com \u2022 rue.services \u2022 199.22.109.208.host.secureserver.net \u2022 n1s.18b.mywebsitetransfer.com \u2022 mywebsitetransfer.com", "godaddy.com \u2022 prod.phx3.secureserver.net", "Trojan.Win32.Snovir.kfmibf | FreeYTVDownloader.exe: FileHash-SHA256 3f5576bcd7bab6cf302bfaaa151f5807aac0b80ad01879662c01ca83ebf457ab", "Tea Conquer Bot.exe | FileHash-SHA256 00fc3c28ee517b91128d25c65eeddcd8dac2328447566e94732a3c92b71bfee5", "Amadey: FileHash-MD5 9a0b7ee713610b8395c8f0580a3b1e3d", "Amadey: FileHash-SHA1\te44a9e7ec6fe06ae6ba1b9518db78e95ad451942", "Amadey: FileHash-SHA256 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357", "Amadey: IP 104.26.5.15", "CS IDS: ET INFO Android Device Connectivity Check [Low Risk] was executed.", "Attempted to send viewer to own server.", "How about stop harming people" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan.Win32.Snovir.kfmibf", "display_name": "Trojan.Win32.Snovir.kfmibf", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e843669f4ba77affa4b297", "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 115, "FileHash-SHA1": 114, "FileHash-SHA256": 952, "URL": 285, "domain": 257, "hostname": 285, "email": 1 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646562323df8ec74e628e6a0", "name": "URLHaus data - 17-05-2023", "description": "", "modified": "2023-06-23T22:19:18.469000", "created": "2023-05-17T23:24:34.238000", "tags": [ "32-bit", "elf", "mips", "Mozi", "zip", "arm", "mirai", "shellscript", "1234", "7z", "Password-protected", "ascii", "NetSupport", "powershell", "ps", "rat", "dropped-by-PrivateLoader", "encrypted", "exe", "Formbook", "PowerShellDiscordKeyLogger", "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA", "qbot", "dropped-by-SmokeLoader", "Loki", "opendir", "RedLine", "RemcosRAT", "Arechclient2", "AgentTesla", "doc", "RedLineStealer", "LummaStealer", "ArkeiStealer", "dll", "Stealc", "dropped-by-amadey", "hajime", "ua-ps", "32", "gafgyt", "Lumma", "Amadey", "AsyncRAT", "lnk", "Vidar", "quasar", "64-bit", "x86-64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 880, "hostname": 8, "domain": 355 }, "indicator_count": 1243, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1072 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64640f71292ec3dad3e443e0", "name": "URLHaus data - 16-05-2023", "description": "", "modified": "2023-05-16T23:19:13.634000", "created": "2023-05-16T23:19:13.634000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "hajime", "BB28", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "PowerShellSMTPKeyLogger", "32", "Amadey", "exe", "64", "pw-2023", "rar", "pw-2022", "dropped-by-PrivateLoader", "encrypted", "1234", "7z", "Password-protected", "pw-1515", "dll", "ua-ps" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 133, "domain": 614, "hostname": 1 }, "indicator_count": 1748, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "wiseestimating.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "wiseestimating.com", "found": true, "verdict": "malicious", "url_count": 3, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://wiseestimating.com/ete/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-17", "tags": [ "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA" ] }, { "url": "https://wiseestimating.com/lpei/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-16", "tags": [ "BB28", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA" ] }, { "url": "https://wiseestimating.com/rui/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-16", "tags": [ "BB28", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780248791.1599216 }