{ "type": "Domain", "indicator": "zuf174.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zuf174.com", "alexa": "http://www.alexa.com/siteinfo/zuf174.com", "indicator": "zuf174.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 123502820, "indicator": "zuf174.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 32, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a77cfcac37b94cdafabb0d", "name": "Outlook", "description": "IOCS", "modified": "2026-04-03T08:24:06.638000", "created": "2026-03-04T00:29:48.657000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 712, "domain": 759, "hostname": 194, "FileHash-SHA1": 148, "email": 37, "FileHash-SHA256": 437, "FileHash-MD5": 118, "CVE": 1 }, "indicator_count": 2406, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f31b9a0551ca166c872292", "name": "Drive-by Compromise - Cyber warfare 4K + Unsuspecting potential victims", "description": "Network outage. Severe attack appears to disseminate from Denver, Co Charter Communications /Spectrum Denver - network and devices hacked. Successful at bringing down the network of 4000 + Whitesky clients, remotely sourcing targeted devices, leaking confidential information, phishing, deletng countless files. Most people in homes and building managers are referring to the multi day outage as outage or glitch. Located targeted devices, files encrypted, forced content, dumping & other malicious activity. \n*Cyber Folks .pl\n*https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n|| DDoS:Linux/Gafgyt.YA!MTB\nCVE-2017-17215\nVirus:Win32/Sivis.A\nBackdoor:Win32/Tofsee\nCVE-2014-8361\nCVE-2023-27350\nM1\nMirai\nNIDS\nOneLouder\nRansom\nRansom:Win32/Haperlock\nTEL:CreateScheduledTask ,\nTofsee , Trojan:Win32/Neurevt , Zombie.A ,TrojanSpy ,\nUnix.Trojan.Mirai ,Oxypumper , Qshell , Installcore ,Sarwent", "modified": "2024-10-24T19:00:50.385000", "created": "2024-09-24T20:05:46.785000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e47020bdbbc384d102d169", "name": "AWS Botnet *2nd L\u2070\u2070K \u00bb Quantum Fiber | Brute Forcer", "description": "I researched link again. Stealthy hackers surrounding a targets whereabouts in Denver Metro/Denver Proper (Co) and surrounding areas. Unsafe targeting activity escalates.\n\n*Tip { PDF:UrlMal-inf\\ [Trj] - https://www.quantumfiber.com/moving.html?utm_source=Digital&utm_medium=DV360_YouTube&utm_campaign=QuantumFiber_Residential_Prospecting&utm_content=Movers-RES-QF-Movers-ACH-OLV30-50-YouTube-NA&gclid=CjwKCAjwooq3BhB3Eiw } Malware Families:\nWin.Dropper.LokiBot-9975730-0\n#LowFiEnableDTContinueAfterUnpacking\n#LowFiMalf_gen\nALF:PUA:Block:IObit\nALF:Program:Win32/Webcompanion\nALF:Ransom:Win32/Babax\nALF:Trojan:Win32/FormBook\nAWS\nPDF:UrlMal-inf\\ [Trj]\nTrojan:Win32/Qbot\nTrojanDownloader:Win32/Upatre\nUnix\nUnix.Malware.Generic-9875933-0\nVirTool:Win32/Injector\nVirTool:Win32/Obfuscator\nWin.Dropper.LokiBot-9975730-0\nWin.Keylogger.Banbra-9936388-0\nWorm:Win32/Mofksys", "modified": "2024-10-13T13:01:27.179000", "created": "2024-09-13T17:02:24.806000", "tags": [ "namecheap", "server", "registrar abuse", "code", "dnssec", "email", "contact phone", "registrar iana", "registrar url", "registrar whois", "date", "vhash", "authentihash", "imphash", "ssdeep", "file type", "win32 exe", "magic pe32", "ms windows", "trid upx", "win16 ne", "generic", "packer", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "upx0", "1 upx1", "upx2", "sysinternals", "zenbox", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "dynamic", "utc na", "utc facebook", "html info", "meta tags", "commerce cloud", "trackers google", "tag manager", "gtmkj5bfwx", "utc gtmp4hkt96", "utc gtm5z5w687v", "sample", "t1497", "sandbox evasion", "may sleep", "downloads", "http performs", "mitre att", "evasion ta0005", "upx software", "t1036 creates", "get http", "post http", "number", "ja3s", "algorithm", "subject", "data", "server ca", "odigicert inc", "cus lsan", "calls", "text", "passive dns", "urls", "scan endpoints", "all scoreblue", "url https", "http", "ip address", "related nids", "files location", "as8068", "united", "unknown", "ref b", "wed may", "entries", "mtb dec", "body", "please", "twitter", "malware", "trojan", "trojan features", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "worm", "win32", "alf features", "aaaa", "cname", "united kingdom", "creation date", "certificate", "tlsv1", "oglobalsign", "stzhejiang", "lhangzhou", "oalibaba", "china", "encrypt", "copy", "write", "august", "local", "xport", "regsetvalueexa", "regdword", "regbinary", "medium", "high", "regsetvalueexw", "regsz", "langchinese", "delphi", "persistence", "execution", "read c", "create c", "msie", "windows nt", "wow64", "slcc2", "media center", "write c", "delete c", "mozilla", "as62597 nsone", "domain", "as20940", "as8075", "virtool", "whitelisted ip", "location united", "asn as8068", "registrar", "markmonitor", "tags", "related tags", "threat roundup", "october", "historical ssl", "referrer", "round", "december", "november", "guloader", "files", "detections file", "name file", "file size", "name", "html", "cab null", "ubuntu", "linux x8664", "contentlength", "gobrut", "malware c", "c request", "config", "meta", "photolan", "moved", "a domains", "as47748 daticum", "meta http", "content", "gmt server", "ipv4", "pragma", "apache", "sales", "expiration date", "name servers", "asnone bulgaria", "ns nxdomain", "nxdomain", "soa nxdomain", "cape", "gobrut malware", "suricata", "et malware", "bruter cnc", "checkin", "activity", "malware config", "yara detections", "contacted", "a li", "li ul", "div div", "set cookie", "as29873", "link", "hong kong", "as45102 alibaba", "div li", "gmt max", "age2592000 path", "log id", "gmtn", "tls web", "ca issuers", "timestamp", "b715", "b59bn timestamp", "false", "as2914 ntt", "record value", "data redacted", "as4230 claro", "invalid url", "research group", "as13768 aptum", "canada unknown", "canada", "hostpapa", "hosting", "click", "rdds service", "record", "registrant", "admin", "tech contact", "script domains", "as3257 gtt", "asnone canada", "access denied", "servers", "emails", "as397241", "as31898 oracle", "as397240", "overview ip", "flag united", "hostname", "files domain", "as15169 google", "as396982 google", "as16625 akamai", "as35994 akamai", "france", "discovery", "t1010", "t1012", "t1027", "information", "t1055", "injection", "t1057", "t1059", "ssh attacker", "mitm", "aitm", "tracker", "botnet", "binary", "ghostscript", "brendan coates", "daley", "trent wiltshire", "aws botnet", "filehashsha256", "filehashsha1", "filehashmd5", "https", "salitiy", "unix malware", "created", "url http", "unix", "aws", "role title", "added active", "report spam", "quantumfiber", "denver co", "critical", "default", "traditional", "compiler", "intel", "ms windows", "ssdeep", "rich pe", "imphash", "utc gtm5z5w687v", "utc gtmp4hkt96", "pecompact", "packer", "ids", "commerce cloud", "meta tags", "gmt etag", "accept encoding", "accept", "status", "west domains", "path", "author avatar", "active file", "denver", "vt graph", "currently", "im unaware", "pnpd5d", "susp", "filehash", "av detections", "pecompact", "february", "asnone germany", "as21499 host", "singapore", "germany", "object", "alerts", "icmp traffic", "createdate", "microsoft color", "msft", "format", "as44273 host", "content type", "kodak easyshare", "easyshare", "eastman kodak", "kodak", "kukacka", "virus", "rsdsr7siwwd d", "install", "service", "explorer", "windows", "name type", "md5 process", "sqlite", "sqlite version", "active", "pre crime", "cyber attack", "hackers", "quantum fiber", "quantumfiber.com", "target tsara brashears", "tech id", "hallrender", "brian sabey", "hijack", "spotify artists", "idlinea8 sep", "xo544", "xa10629", "sitegg", "fcolorffffff", "net1", "inhibit system", "oracle", "level 3" ], "references": [ "QuantumFiber.com a 2nd look", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "Win.Dropper.LokiBot-9975730-0", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "Yara Detections: Delphi", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Unix.Malware.Generic:", "Unix.Malware.Generic:", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Keylogger.Banbra-9936388-0", "display_name": "Win.Keylogger.Banbra-9936388-0", "target": null }, { "id": "#LowFiMalf_gen", "display_name": "#LowFiMalf_gen", "target": null }, { "id": "Trojan:Win32/Qbot", "display_name": "Trojan:Win32/Qbot", "target": "/malware/Trojan:Win32/Qbot" }, { "id": "ALF:Ransom:Win32/Babax", "display_name": "ALF:Ransom:Win32/Babax", "target": null }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "ALF:PUA:Block:IObit", "display_name": "ALF:PUA:Block:IObit", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "Win.Dropper.LokiBot-9975730-0", "display_name": "Win.Dropper.LokiBot-9975730-0", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "VirTool:Win32/Injector", "display_name": "VirTool:Win32/Injector", "target": "/malware/VirTool:Win32/Injector" }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Unix.Malware.Generic-9875933-0", "display_name": "Unix.Malware.Generic-9875933-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook", "display_name": "ALF:Trojan:Win32/FormBook", "target": null }, { "id": "Unix", "display_name": "Unix", "target": null }, { "id": "AWS", "display_name": "AWS", "target": null }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "PDF:UrlMal-inf\\ [Trj]", "display_name": "PDF:UrlMal-inf\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1510", "name": "Clipboard Modification", "display_name": "T1510 - Clipboard Modification" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1644, "FileHash-SHA1": 1614, "FileHash-SHA256": 2742, "URL": 2708, "domain": 2150, "hostname": 2508, "email": 21, "SSLCertFingerprint": 33, "CVE": 2 }, "indicator_count": 13422, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ba01cb6ef731c30679908b", "name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney", "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:36:27.020000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2826, "CIDR": 2, "URL": 549, "email": 12, "hostname": 587, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 388, "CVE": 4 }, "indicator_count": 5968, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ba036c462091e25e94de49", "name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ", "description": "", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:43:24.286000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": "66ba01cb6ef731c30679908b", "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2786, "CIDR": 2, "URL": 457, "email": 12, "hostname": 535, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 367, "CVE": 4 }, "indicator_count": 5763, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6680447d3a533233ed48b5e5", "name": "Trojan:Linux/Xorddos | Trojan:Win32/Zombie.A | TrojanClicker:Win32/Ellell.A ", "description": "", "modified": "2024-07-29T16:00:46.118000", "created": "2024-06-29T17:29:33.778000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2091, "hostname": 547, "URL": 1254, "FileHash-MD5": 425, "FileHash-SHA256": 2161, "SSLCertFingerprint": 2, "FileHash-SHA1": 426, "CVE": 2, "email": 8 }, "indicator_count": 6916, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6681f2c0105aaf9e1db540dc", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Jeffery Scott Reimer Assault ", "description": "", "modified": "2024-07-29T16:00:46.118000", "created": "2024-07-01T00:05:20.043000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": "66804428b487338dc16f70a7", "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2091, "hostname": 547, "URL": 1254, "FileHash-MD5": 425, "FileHash-SHA256": 2161, "SSLCertFingerprint": 2, "FileHash-SHA1": 426, "CVE": 2, "email": 8 }, "indicator_count": 6916, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "783 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659d15c13f838593a01984b6", "name": "Project Hilo", "description": "", "modified": "2024-02-08T09:05:26.319000", "created": "2024-01-09T09:45:37.584000", "tags": [ "creation date", "servers", "passive dns", "urls", "search", "name servers", "scan endpoints", "all octoseek", "hostname", "pulse pulses", "date", "next", "showing", "files", "files ip", "whois record", "ssl certificate", "historical ssl", "resolutions", "whois whois", "siblings", "trojan bank", "m referrer", "subdomains", "execution", "dropped", "whois", "bank", "parent siblings", "referrer", "as8075", "united", "nxdomain", "united kingdom", "south korea", "unknown", "mascore2", "nct1", "arc1", "ems1", "localeenus", "htd1", "lang1033", "devlangen" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 536, "email": 3, "hostname": 1486, "URL": 2496, "FileHash-SHA256": 784, "FileHash-MD5": 27, "FileHash-SHA1": 13 }, "indicator_count": 5345, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659ab33e614882a4a7451ca8", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:46.936000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659ab3389d6c91dc01801fe5", "name": "Simda | Sabey Data Center | https://nsa.gov1.info/utah-data-center/", "description": "SIMDA is a family of backdoors capable of stealing information such as user names, passwords, and certificates. It steals information via its keylogging and HTML injection routines. \nReference: TrendMicro\n\nMALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda\nWin32.Trojan-Spy.Shiz.b\nParody named 'not the Whitehouse' -https://whois.domaintools.com/gov1.info\nM.Brian Sabey \nTargets Tsara Brashears", "modified": "2024-02-06T14:00:04.985000", "created": "2024-01-07T14:20:40.610000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "urls https", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "redacted for", "privacy tech", "privacy admin", "date", "server", "country", "organization", "postal code", "stateprovince", "code", "whois record", "ssl certificate", "historical ssl", "whois whois", "september", "redline stealer", "whois", "threat roundup", "bangladesh", "communicating", "prynt stealer", "banker", "keylogger", "dtrack", "prynt", "name verdict", "falcon sandbox", "pattern match", "jpeg image", "jfif", "ascii text", "united", "appdata", "file", "indicator", "et tor", "known tor", "class", "unknown", "general", "hybrid", "local", "win64", "click", "twitter", "strings", "generator", "critical", "error", "trident", "cascade", "darpa", "registrar", "rdds service", "record", "registrant", "admin", "tech contact", "whois service", "form", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers nel", "contentencoding", "gmt connection", "search", "for privacy", "status", "showing", "passive dns", "urls", "ionos se", "creation date", "next", "aaaa", "pulse pulses", "files", "united kingdom", "whitelisted", "worm", "gmt contenttype", "scan endpoints", "all octoseek", "ipv4", "body", "http", "unique", "screenshot", "url http", "ip address", "internet se", "emails", "name servers", "dnssec", "as63949 linode", "all search", "otx octoseek", "related nids", "reverse dns", "netherlands asn", "contacted", "resolutions", "referrer", "mirai malware", "urls http", "parent referrer", "certificate", "record value", "entries", "dynamicloader", "yara rule", "high", "sinkhole cookie", "et trojan", "medium", "yara detections", "virtool", "value snkz", "less see", "possible", "august", "copy", "expiro", "public folder", "pictures", "videos", "music", "anomalous file", "media player", "url https", "delete c", "ms windows", "pe32", "intel", "windows nt", "wow64", "khtml", "gecko", "query", "write", "malware", "template", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "t1055", "zeppelin", "win32", "internal", "malware beacon", "a checkin", "create c", "read c", "write c", "msie", "suspicious", "slcc2", "media center", "as20940", "as2914 ntt", "as16625 akamai", "a domains", "cdata", "script", "as8068", "mtb oct", "location canada", "trojanspy", "xpire.info", "searchmeup", "cname", "as35994 akamai", "as14061", "as9009 m247", "samples", "as25577 ide", "hostnames", "show", "info compiler", "products", "vs2008 sp1", "vs2008", "vs2010", "header target", "machine intel", "utc entry", "point", "sections", "info", "hashes c2ae", "zenbox", "detections file", "name", "html", "win32 exe", "javascript", "contacted ip", "ip detections", "gandi sas", "godaddy online", "cayman", "dynadot", "domains", "psiusa", "domain robot", "dynadot inc", "net technology", "tsara brashears", "apple phone", "unlocker", "shell code", "simda", "amazon 02", "metro", "infected", "qakbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Prynt", "display_name": "Prynt", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Xpire.info", "display_name": "Xpire.info", "target": null }, { "id": "Searchmeup", "display_name": "Searchmeup", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2129, "FileHash-SHA1": 1459, "FileHash-SHA256": 5050, "URL": 7341, "domain": 3041, "hostname": 3214, "email": 12, "CVE": 1 }, "indicator_count": 22247, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65568b00198f82af2e88d463", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-16T21:34:56.016000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "6552d6f5f56d2e9cd9e18a30", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6552d6f5f56d2e9cd9e18a30", "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:09:57.370000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6552d60aae6e1b3c22455088", "name": "Hive 0065", "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com", "modified": "2023-12-13T16:00:45.799000", "created": "2023-11-14T02:06:02.329000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related", "xbox", "whois record", "contacted", "whois whois", "ssl certificate", "communicating", "referrer", "execution", "historical ssl", "bundled", "family", "lolkek", "formbook", "skynet", "lockbit", "ursnif", "attack", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4276, "email": 3, "hostname": 2288, "FileHash-MD5": 51, "FileHash-SHA1": 49, "FileHash-SHA256": 2756, "URL": 8696, "CVE": 1 }, "indicator_count": 18120, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "857 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65521fdfdf567667e07becf1", "name": "trino-11062202-1d32.stress-11061903-3b4c.westus2.projecthilo.net", "description": "spyware, tracking, evasive, invasive, malicious", "modified": "2023-12-13T05:00:43.179000", "created": "2023-11-13T13:08:47.093000", "tags": [ "cisco umbrella", "alexa top", "site", "million", "safe site", "alexa", "detection list", "blacklist", "team alexa", "subdomains", "search", "domain related", "emotet", "telefonica co", "soc alexa" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 439, "email": 3, "hostname": 1211, "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 789, "URL": 2391 }, "indicator_count": 4867, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65522d5257116ef6d0180290", "name": "bingxxx.com", "description": "", "modified": "2023-12-13T00:01:05.148000", "created": "2023-11-13T14:06:10.406000", "tags": [ "united", "as8075", "creation date", "unknown", "search", "entries", "asnone country", "scan endpoints", "all search", "otx octoseek", "related domains", "show", "domain related" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 239, "email": 3, "hostname": 6 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "honey.exe", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "Yara Detections: Mirai_Botnet_Malware", "Alerts: dead_host network_icmp nolookup_communication disables_proxy modifies_certificates modifies_proxy_wpad", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "IDS Detections: Win32.Lexip Checkin Unsupported/Fake FireFox Version 2.", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "DISTINCTIO8.pdf", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: Delphi", "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "wallet.mewards.bing.com | https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net | wallpapers-nature.com", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "Unix.Malware.Generic: Observed DNS Query for Israel Domain (.il) | Alerts: cape_detected_threat", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "Alerts: cape_detected_threat cape_extracted_content", "IDS Detections: Win32/Adware.Ymeta.A CnC Beacon Win32/Adware.Ymeta.A CnC Win32/Adware.Ymeta Variant Activity", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Win.Dropper.LokiBot-9975730-0 FileHash-SHA256 8f65d7817731cf1b7fada1be16d85464383813dd1f0388a933cec2abbeda4ba9", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "www.pornhubselect.com | pornhub.software", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "api.login.live.com", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "Tofsee: 'google.com' | https://www.gov50.icu |", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "Unix.Malware.Generic: Yara Detections: is__elf , UPXProtectorv10x2 , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections", "Yara Detections: is__elf , DemonBot", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "IDS Detections: TLS Handshake Failure Yara Detections: Nullsoft_NSIS", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Malware Families: Win.Dropper.LokiBot-9975730-0 #LowFiEnableDTContinueAfterUnpacking #LowFiMalf_gen Worm:Win32/Mofksys", "http://appleid.icloud.com-website33.org/", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "hubt.pornhub.com | www.pornhub.com | pornative.com", "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "message.htm.com", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Unix.Malware.Generic: IDS Detections Generic.Go.Bruteforcer CnC Beacon Generic.Go.Bruteforcer Receiving Config", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "networkservice.exe: Matches rule SERVER-OTHER Spring Data Commons remote code execution attempt", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://hallrender.com/attorney/brian-sabey", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Malware Families: VirTool:Win32/Injector TrojanDownloader:Win32/Upatre Unix VirTool:Win32/Obfuscator Win.Dropper.LokiBot-9975730-0", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://tulach.cc/ | tulach.cc |", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "QuantumFiber.com a 2nd look", "IDS Detections: Observed Suspicious UA (Mozilla/5.0) Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "Alerts: network_icmp modifies_proxy_wpad multiple_useragents injection_resumethread", "Malware Families: ALF:Trojan:Win32/FormBook AWS PDF:UrlMal-inf\\ [Trj] Trojan:Win32/Qbot Unix.Malware.Generic-9875933-0", "Unix.Malware.Generic:", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "13.107.21.200 Bat.Bing - Trojan:Win32/Qbot | ALF:Ransom:Win32/Babax | Worm:Win32/Mofksys | ALF:Program:Win32/Webcompanion", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Verification failure observed in automated verification handlers during sandbox replay.", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Alerts: ransomware_dropped_files ransomware_mass_file_delete antivm_vmware_in_instruction", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "CS Sigma Rules: Python Initiated Connection by frack113", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "Malware Families: ALF:PUA:Block:IObit ALF:Program:Win32/Webcompanion ALF:Ransom:Win32/Babax Win.Keylogger.Banbra-9936388-0", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "http://pornhub.com/gay/video/search", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "Query to a *.top domain - Likely Hostile Query for .cc TLD", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "IDS Detections: Windows 98 User-Agent Detected - Possible Malware or Non-Updated System Unsupported/Fake Internet Explorer Version MSIE 5.", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "Related Tags: https://www.virustotal.com/graph/embed/g17b255d00de64c0faa707968 [OG:dorkingbeauty | Cloned: StreaminingEx]", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "Win.Keylogger.Banbra FileHash-SHA256 94517bb37a8ebe48a06a64b20237e287101bc93bbc840bf6e1ab7dfb28a2da5a", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "Win.Dropper.LokiBot-9975730-0", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Mirai", "Backdoor:win32/tofsee", "Trojanspy", "Ransom:win32/haperlock", "Win.trojan.installcore-1177", "Win.ransomware.wannacry-6313787-0", "Virus.win32.virut.q", "Cve-2017-17215", "Onelouder", "Pegasus for android - mob-s0032", "Win.malware.qshell-9875653-0", "Worm:win32/mofksys", "Win.trojan.sarwent-10012602-0", "Trojanspy:win32/nivdort.cw", "#lowfienabledtcontinueafterunpacking", "Relic", "Trojandropper:win32", "Trojanclicker:win32/ellell.a", "Ransom", "Ransom:win32/tescrypt", "Virtool", "Unix", "Xpire.info", "Ddos:linux/gafgyt.ya!mtb", "W32.sality.pe", "Alf:program:win32/webcompanion", "Unix.trojan.mirai-6981169-0", "Alf:ransom:win32/babax", "Trojan:win32/neurevt", "Backdoor:win32/fynloski.a", "Cve-2014-8361", "Unix.trojan.mirai-7100807-0", "Nids", "Cve-2023-27350", "M1", "#lowfimalf_gen", "Hacktool", "Bayrob", "Prynt", "Searchmeup", "Elf:mirai-ahc\\ [trj]", "Tofsee", "Pegasus for ios - s0289", "Alf:pua:block:iobit", "Sakula rat", "Trojan:win32/zombie.a", "Pws:win32/ymacco.aa50", "Virtool:win32/obfuscator", "Ransom:win32/wannacrypt.h", "Sf:wncryldr-a\\ [trj]", "Alf:trojan:win32/formbook", "Aws", "Trojan:linux/xorddos", "Pws:win32/qqpass.b!mtb", "Win.keylogger.banbra-9936388-0", "Ransom:win32/haperlock.a", "Ransomware", "Trojan:win32/qbot", "Pdf:urlmal-inf\\ [trj]", "Virtool:win32/injector", "Unix.malware.generic-9875933-0", "Win.malware.oxypumper-6900435-0", "Trojandownloader:win32/upatre", "Win.virus.teslacrypt3-2/custom", "Tel:createscheduledtask", "Virus:win32/sivis.a", "Win.dropper.lokibot-9975730-0" ], "industries": [ "Civilian society", "Healthcare", "Government", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 32, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a77cfcac37b94cdafabb0d", "name": "Outlook", "description": "IOCS", "modified": "2026-04-03T08:24:06.638000", "created": "2026-03-04T00:29:48.657000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 712, "domain": 759, "hostname": 194, "FileHash-SHA1": 148, "email": 37, "FileHash-SHA256": 437, "FileHash-MD5": 118, "CVE": 1 }, "indicator_count": 2406, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692131f725473d708579ec3a", "name": "Drive-by Compromise", "description": "", "modified": "2025-11-22T03:45:59.649000", "created": "2025-11-22T03:45:59.649000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68788dfd4a0943cb318c7137", "name": "DarkWatchman Chekin Activity", "description": "", "modified": "2025-08-16T06:02:36.091000", "created": "2025-07-17T05:45:33.250000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7596, "FileHash-SHA1": 3987, "FileHash-SHA256": 8622, "URL": 1922, "domain": 2530, "hostname": 2524, "email": 37, "CVE": 6, "SSLCertFingerprint": 6 }, "indicator_count": 27230, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678f0dbdbc59dd2ea5656dcf", "name": "Order ", "description": "", "modified": "2025-01-21T03:00:13.071000", "created": "2025-01-21T03:00:13.071000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "66f31b9a0551ca166c872292", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aclause21", "id": "303913", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 439, "domain": 2416, "hostname": 2154, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24907, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66804428b487338dc16f70a7", "name": "Brian Sabey Orbiting Tsara Brashears and associates | Espionage | Said client: Jeffrey Reimer", "description": "Brian Sabey & large team continue excessive orbiting target & family members in multiple states. \nUnwarranted, dangerous and illegal. \nLarge attacks have wreaked havoc on medical establishments, targets medical profile, once profitable business, legal manipulation, financial well being. forced poverty, swatting, imfostealer, insurance fraud, intellectual property use, Audi le spying, in person stalking, confrontations, great bodily harm, loss of peace, safety. basic human rights and privacy, phone call redirection, malvertising. In the name of assaulter Jeffrey Scott Reimer", "modified": "2024-11-05T10:00:12.606000", "created": "2024-06-29T17:28:08.283000", "tags": [ "unknown", "united", "virgin islands", "as51852", "as33387", "as19905", "as44273 host", "cname", "nxdomain", "passive dns", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "urls", "files ip", "address domain", "ip related", "pulses otx", "pulses", "related tags", "indicator facts", "dga domain", "http", "unique", "scan endpoints", "all scoreblue", "pulse pulses", "ip address", "related nids", "log id", "gmtn", "go daddy", "authority", "tls web", "arizona", "scottsdale", "ca issuers", "b59bn timestamp", "ff2c217402202b", "code", "false", "url https", "domain", "trojan", "hostname", "files", "body", "date", "path max", "age86400 set", "cookie", "script urls", "type", "mtb may", "script script", "trojanspy", "striven", "miles2", "rexxfield", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "date sat", "gmt server", "sakula malware", "historical ssl", "realteck audio", "lemon duck", "iocs", "tsara brashears", "loki password", "stealer", "windows", "auction", "metro", "core", "colibri loader", "hacktool", "status", "for privacy", "creation date", "record value", "name servers", "showing", "next", "mtb mar", "ipv4", "ransom", "west domains", "redacted for", "gmt location", "gmt max", "cowboy", "encrypt", "as60558 phoenix", "susp", "win32", "methodpost", "canada unknown", "as43350 nforce", "united kingdom", "as47846", "germany unknown", "briansabey", "body doubles", "orbiters", "malvertising", "cane", "get na", "show", "as16509", "delete c", "sinkhole cookie", "value snkz", "cape", "possible", "copy", "nivdort", "write", "bayrob", "malware", "exploit", "confirm https", "impact", "misc http", "cvss v2", "authentication", "n cvss", "v3 severity", "high attack", "emails", "cnc", "alphacrypt cnc", "beacon", "as15169 google", "limited", "as8560", "elite", "AS33387 nocix llc", "pegasus", "mercenary", "cellerebrand", "cellebrite", "apple", "dark", "apple ios", "ios", "apple iphone", "apple itunes", "itunes", "pegasystem", "data brokers", "hackers", "javascript", "please", "intel", "filehash", "av detections", "xorddos" ], "references": [ "http://www.northpoleroute.com/78985064&type=0&resid=5312625", "espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256\t251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0", "Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc", "Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f", "Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1", "IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin", "IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz", "Alerts: cape_detected_threat cape_extracted_content", "https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "\"Windows SMB Information Disclosure Vulnerability.\" - https://otx.alienvault.com/indicator/cve/CVE-2017-0147", "Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49", "Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee", "Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845", "TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02", "TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534", "TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6", "PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251", "PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a", "PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4", "https://otx.alienvault.com/indicator/ip/162.222.213.199", "TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad", "Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437", "PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec", "PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb", "PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7", "Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943", "Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f", "Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893", "Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e", "IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx", "IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin", "IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon", "https://otx.alienvault.com/indicator/ip/185.230.63.186", "CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148", "http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz", "smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP]", "Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://otx.alienvault.com/indicator/ip/63.141.242.45", "Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo", "Antivirus Detections: ELF:Xorddos-AE\\ [Trj] , Unix.Trojan.Xorddos-1 ,", "Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9", "Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559", "Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658", "https://hallrender.com/attorney/brian-sabey" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Ransom:Win32/Haperlock.A", "display_name": "Ransom:Win32/Haperlock.A", "target": "/malware/Ransom:Win32/Haperlock.A" }, { "id": "Backdoor:Win32/Fynloski.A", "display_name": "Backdoor:Win32/Fynloski.A", "target": "/malware/Backdoor:Win32/Fynloski.A" }, { "id": "TrojanClicker:Win32/Ellell.A", "display_name": "TrojanClicker:Win32/Ellell.A", "target": "/malware/TrojanClicker:Win32/Ellell.A" }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Win.Virus.TeslaCrypt3-2/Custom", "display_name": "Win.Virus.TeslaCrypt3-2/Custom", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Ransom:Win32/Tescrypt", "display_name": "Ransom:Win32/Tescrypt", "target": "/malware/Ransom:Win32/Tescrypt" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Sakula RAT", "display_name": "Sakula RAT", "target": null } ], "attack_ids": [ { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3885, "hostname": 1651, "URL": 5981, "FileHash-MD5": 486, "FileHash-SHA256": 3859, "SSLCertFingerprint": 2, "FileHash-SHA1": 487, "CVE": 7, "email": 8 }, "indicator_count": 16366, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zuf174.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zuf174.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776598744.1295373 }