otx.alienvault.com
Open in
urlscan Pro
13.32.121.24
Public Scan
Submitted URL: https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188#:~:text=%C3%97
Effective URL: https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188
Submission: On May 22 via api from US — Scanned from DE
Effective URL: https://otx.alienvault.com/indicator/file/0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188
Submission: On May 22 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
× Loading... * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * FileHash - SHA256 0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188 Add to Pulse Pulses 34 AV Detections 0 IDS Detections 0 YARA Detections 0 Alerts 0 Analysis Overview Analysis Date 12 months ago File Score 11.4 Malicious Yara Detections None Alerts suspicious_command_tools antidebug_guardpages dynamic_function_loading powershell_download powershell_request stealth_window antidebug_setunhandledexceptionfilter stealth_timeout IP’s Contacted 199.36.158.100 8.249.137.254 Domains Contacted sacomu.web.app Related Pulses LevelBlue Labs Pulses (1) , OTX User-Created Pulses (33) Related Tags 400 Related Tags Java , Hidden Virtual Network Computing , Spearphishing , DymamicRAT , referrer More File Type JAR - Java archive data (JAR) Size 10 KB (10953 bytes) MD5 60a38f29aa89bf50695934e2da263f3c SHA1 1da3abd876a5a94cba451907c9324855882b988c SHA256 0cbc40baea499758a01ad897cfc6beb54dc1cbbad56eedcf5197f42a141c0188 External Resources VirusTotal VirusTotal VirusTotal API key required Screenshots Analysis Related Pulses Integrations Comments (0) COBALT STRIKE No Entries Found ALERTS Name Description Severity ATT&CK Technique TECHNIQUE ID suspicious_command_tools Uses suspicious command line tools or Windows utilities High antidebug_guardpages Guard pages use detected - possible anti-debugging. Medium dynamic_function_loading Dynamic (imported) function loading detected Medium powershell_download Data downloaded by powershell script Medium powershell_request Powershell is sending data to a remote host Medium stealth_window A process created a hidden window Medium antidebug_setunhandledexceptionfilter SetUnhandledExceptionFilter detected (possible anti-debug) Low stealth_timeout Possible date expiration check, exits too soon after checking local time Low EXIF DATA Property Value ZIP:ZipBitFlag0x0808ZIP:ZipCRC0x735e41c1ZIP:ZipCompressedSize21ZIP:ZipCompressionDeflatedZIP:ZipFileNamem.dllZIP:ZipModifyDate2022:11:02 15:06:16ZIP:ZipRequiredVersion20ZIP:ZipUncompressedSize19 COMPRESSED FILES File name SHA-256 m.dll b6646f519041f32b0cf773e7082caf28296352bf6903f57398cd022ea1b313c0 u.dll 2d8ed0db9fb70bdfe4e5a7e3643a6d51db426f750499d7595640fb9154637831 META-INF/MANIFEST.MF 6df24e9a44d063c31035f5250e62fbde3723b6735bb27131b7de0e61af9eb4e2 JLC.class c3bdfa98fcf3dfae88de025f937ce85fae12c8d4eedcba0418bf25a9b4fb7790 IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII.class c7f3848d014dcd7b01609a05d52a4bf01ba7fabdfeed6fa26c7d6dc78c69d6f3 LNK Name Value No Entries Found SCREENSHOT DOCUMENT PROPERTIES DOMAINS CONTACTED Status Domain IP Whitelisted sacomu.web.app 199.36.158.100 TCP Include internal to internal communication Top Source 192.168.122.24 Top Destination 199.36.158.100 Source Source Port Destination Destination Port 192.168.122.24 49190 199.36.158.100 443 UDP Include internal to internal communication Top Source 192.168.122.24 Top Destination 192.168.122.255, 1.1.1.1 Source Source Port Destination Destination Port 192.168.122.24 62514 1.1.1.1 53 192.168.122.24 61245 1.1.1.1 53 EXTERNAL HOSTS Top Country United States Unique Countries 1 Unique ASNs 2 IP Hostname Reverse IP lookup Country ASN 199.36.158.100 sacomu.web.app sacomu.web.app United States AS54113 fastly 8.249.137.254 United States AS3356 level 3 parent llc TLS CERTIFICATES IP Destination Dest Port Subject Issuerdn Fingerprint Version sni Cert NotBefore Cert NotAfter 192.168.122.24 TLS 1.3sacomu.web.app JA3 CLIENTS Destination IP Dest Port JA3 JA3 Digest 199.36.158.100 443 771,4866-4865-49196-49195-49200-49199-159-163-158-162-49188-49192-49187-49191-107-106-103-64-49198-49202-49197-49201-49190-49194-49189-49193-49162-49172-49161-49171-57-56-51-50-49157-49167-49156-49166-157-156-61-60-53-47-255,0-10-11-13-50-23-43-45-51,23-24-25-256-257-258-259-260,0 479b976148ec2a1a195ae2e15805fefa JA3 SERVERS Source IP Source Port JA3 JA3 Digest 199.36.158.100 443 771,CipherSuite(TLS_AES_256_GCM_SHA384),43-51 dbc1abcd208c7b90c44d88c9cf69465d * LevelBlue Labs (1) * User Created (33) DynamicRAT — A full-fledged Java Rat FileHash-SHA256 Indicator Active * Created 12 months ago * Modified 11 months ago by AlienVault * Public * TLP: White FileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 22 | Domain: 1 On Tuesday, 06.06.2023, I was notified by one of my infosec colleagues, Fate, about a strange “.jar” file he had found in his network. While execution had been prevented through the AV, the file did stick out, because when looking at its strings, Fate had noticed several substrings that contained the word “attack” in it. Java, Hidden Virtual Network Computing, Spearphishing, DymamicRAT * 274,626 Subscribers IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by scoreblue * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app. referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 85 Subscribers IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Services FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by scoreblue * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 Found in web app of a targets device. Mirai, spyware, hidden user sandbox, information collection, modified services. CnC. | Redirects client from secure to insecure headers. | Downloaded 'suss' Bitdefender - White Paper report. | Apple phone along other devices making commands and requests via app. referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 86 Subscribers IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by OctoSeek * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 129 Subscribers IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root | Modified Browser and Service FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by OctoSeek * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 129 Subscribers IoT Dark Nexus + Mirai BotNet HELP HER PLEASE!!- Enom | TELNET Root | FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by OctoSeek * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 128 Subscribers IoT Dark Nexus + Mirai BotNet - Enom | TELNET Root HELP! RETALIATION HAS OCCURRED FileHash-SHA1 Indicator Active * Created 2 months ago * Modified 4 weeks ago by OctoSeek * Public * TLP: White CIDR: 2 | CVE: 12 | FileHash-MD5: 2979 | FileHash-SHA1: 406 | FileHash-SHA256: 2293 | URL: 1804 | Domain: 814 | Email: 9 | Hostname: 1025 referrer, communicating, contacted, siblings domain, parent domain, subdomains, execution, bundled, threat, paste, iocs, e4609l, urls http, blacklist http, cisco umbrella, heur, site, html, million, team, alexa top, script, malicious url, outbreak, downer, shell, mediamagnet, swrort, unruy, iobit, dropper, trojanx, installcore, riskware, unsafe, webshell, exploit, crack, malware, phishing, union, bank, generic malware, ip summary, url summary, summary, detection list, blacklist, site top, malware site, site safe, deepscan, genpack, zbot, united, proxy, firehol mail, spammer, anonymizer, team proxy, firehol, noname057, alexa safe, maltiverse safe, windows nt, win64, khtml, gecko, veryhigh, orgabusehandle, route, appli22, address, orgtechhandle, appliedi abuse, orgnochandle, peter heather, appliedi, general info, geo united, as14519, us note, registrar arin, ptr record, command decode, mitre att, ck id, show technique, ck matrix, traffic et, policy windows, update p2p, activity, date, hybrid, general, click, strings, contact, contacted urls, cert valid, malicious, phone, text, microsoft, uk telco, js tel, metro, redacted for, record value, emails abuse, name redacted, for privacy, name servers, privacy address, privacy city, privacy country, resolutions, a domains, canada unknown, div div, format a, a ul, models a, gmt path, search, unknown, passive dns, title, all scoreblue, ipv4, url analysis, body, next, port, destination, forbidden, high, tcp syn, telnet root, suspicious path, busybox, bad login, telnet login, copy, mirai, domain, hostname, script script, link, app themesskin, status, content type, lakeside tool, meta, find, tools, cookie, front, li ul, mower shop, creation date, showing, pragma, this, span, open ports, body doctype, privacy admin, privacy tech, server, country, organization, postal code, stateprovince, code, script urls, aaaa, as8068, cname, as20446, encrypt, falcon, name verdict, abuse, as55081, dnssec, dynamicloader, alerts, pulses, java, windows, guard, medium, dynamic, servers, certificate, as54113, trojan, neue, trojanspy, alexa, team google, maltiverse top, ccleaner, xrat, downldr, tsara brashears, entries, transactional * 132 Subscribers Python Initiated Connection | Spyware | Remote Attacks | | Part 4 FileHash-SHA256 Indicator Active * Created 6 months ago * Modified 5 months ago by OctoSeek * Public * TLP: Green CIDR: 1 | CVE: 4 | FileHash-MD5: 197 | FileHash-SHA1: 170 | FileHash-SHA256: 5136 | URL: 12901 | Domain: 3685 | Email: 2 | Hostname: 4445 Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly. Pulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/ [Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?←((threat?))Let me tell you a] http response, final url, serving ip, address, status code, body length, b body, sha256, contenttype, phpsessid, cisco umbrella, alexa top, million, safe site, site, whois record, ssl certificate, execution, dropped, whois whois, historical ssl, copy, tsara brashears, communicating, referrer, cobalt strike, hacktool, emotet, download, malware, malicious, critical, relic, monitoring, installer, android, agent tesla, et, october, contacted, threat roundup, january, cyberstalking, attack, icmp, banker, keylogger, google llc, gc abuse, orgid, direct, whois lookup, netrange, nethandle, net34, net340000, googl2, comment, gc, dns replication, date, domain, win32 exe, driver pro, files, detections type, name, optimizer pro, javascript, text, text ip, aacr, type name, email, email delivery, email fwd, delivery status, notification, name verdict, runtime process, sha1, size, localappdata, temp, prefetch8, unicode text, type data, programfiles, win64, hybrid, click, strings, youth, pe resource, apple private, data collection, hidden privacy, threats https, legal, amazon aws, wife happy, vhash, authentihash, ssdeep, file type, magic pe32, intel, ms windows, trid windows, os2 executable, compiler, delphi, sections, md5 code, data, children, file size, dropped files, google update, setup sha256, kb file * 129 Subscribers Python Initiated Connection | Spyware | Remote Attacks | FileHash-SHA256 Indicator Active * Created 6 months ago * Modified 5 months ago by scoreblue * Public * TLP: Green CIDR: 1 | CVE: 4 | FileHash-MD5: 197 | FileHash-SHA1: 170 | FileHash-SHA256: 5136 | URL: 12901 | Domain: 3685 | Email: 2 | Hostname: 4445 http response, final url, serving ip, address, status code, body length, b body, sha256, contenttype, phpsessid, cisco umbrella, alexa top, million, safe site, site, whois record, ssl certificate, execution, dropped, whois whois, historical ssl, copy, tsara brashears, communicating, referrer, cobalt strike, hacktool, emotet, download, malware, malicious, critical, relic, monitoring, installer, android, agent tesla, et, october, contacted, threat roundup, january, cyberstalking, attack, icmp, banker, keylogger, google llc, gc abuse, orgid, direct, whois lookup, netrange, nethandle, net34, net340000, googl2, comment, gc, dns replication, date, domain, win32 exe, driver pro, files, detections type, name, optimizer pro, javascript, text, text ip, aacr, type name, email, email delivery, email fwd, delivery status, notification, name verdict, runtime process, sha1, size, localappdata, temp, prefetch8, unicode text, type data, programfiles, win64, hybrid, click, strings, youth, pe resource, apple private, data collection, hidden privacy, threats https, legal, amazon aws, wife happy, vhash, authentihash, ssdeep, file type, magic pe32, intel, ms windows, trid windows, os2 executable, compiler, delphi, sections, md5 code, data, children, file size, dropped files, google update, setup sha256, kb file * 88 Subscribers Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3 FileHash-SHA256 Indicator Active * Created 6 months ago * Modified 5 months ago by OctoSeek * Public * TLP: Green FileHash-MD5: 118 | FileHash-SHA1: 104 | FileHash-SHA256: 3552 | URL: 8650 | Domain: 2708 | Hostname: 3073 Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. Pulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/ [Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?←((threat?))Let me tell you a] http response, final url, serving ip, address, status code, body length, b body, sha256, contenttype, phpsessid, cisco umbrella, alexa top, million, safe site, site, whois record, ssl certificate, execution, dropped, whois whois, historical ssl, copy, tsara brashears, communicating, referrer, cobalt strike, hacktool, emotet, download, malware, malicious, critical, relic, monitoring, installer, android, agent tesla, et * 128 Subscribers Apple iOS Spyware | Remote Attacks | Fraud Services | Part 3 FileHash-SHA256 Indicator Active * Created 6 months ago * Modified 5 months ago by OctoSeek * Public * TLP: Green FileHash-MD5: 118 | FileHash-SHA1: 104 | FileHash-SHA256: 3552 | URL: 8650 | Domain: 2708 | Hostname: 3073 Apple, Mac, iOS, phishing, frauds, malware, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and probably others. Pulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/ [Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?←((threat?))Let me tell you a] http response, final url, serving ip, address, status code, body length, b body, sha256, contenttype, phpsessid, cisco umbrella, alexa top, million, safe site, site, whois record, ssl certificate, execution, dropped, whois whois, historical ssl, copy, tsara brashears, communicating, referrer, cobalt strike, hacktool, emotet, download, malware, malicious, critical, relic, monitoring, installer, android, agent tesla, et * 128 Subscribers Agent Tesla FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 43 Subscribers FORMBOOK FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 43 Subscribers SKYNET FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 43 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 44 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 43 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 * 43 Subscribers Malware Bazar 2 FileHash-SHA256 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green FileHash-MD5: 9296 | FileHash-SHA1: 9296 | FileHash-SHA256: 48255 * 43 Subscribers Malware Hashes FileHash-SHA1 Indicator Active * Created 6 months ago by StreamMiningEx * Public * TLP: Green FileHash-MD5: 1795 | FileHash-SHA1: 1795 | FileHash-SHA256: 11962 * 43 Subscribers CNC server.telegrafix.com FileHash-SHA256 Indicator Active * Created 6 months ago by scoreblue * Public * TLP: Green CVE: 3 | FileHash-MD5: 167 | FileHash-SHA1: 117 | FileHash-SHA256: 3178 | URL: 8884 | Domain: 1422 | Email: 2 | Hostname: 3674 record type, ttl value, data, v3 serial, number, issuer, cus cnr3, olet, subject public, key info, key algorithm, key identifier, server, whois lookup, creation date, dnssec, domain name, status, abuse contact, email, registrar abuse, contact phone, date, whois lookups, iana id, domain status, registrar url, registrar whois, first, execution, tsara brashears, ssl certificate, april, threat roundup, october, december, roundup, september, whois record, blustealer, raspberry robin, redline stealer, gopuram, hacktool, skynet, android, quasar, download, malware, hijacker, monitoring, installer, ermac, attack, blackguard, core, awful, twitter, agent tesla, trickbot, ursnif, chaos, metasploit, formbook, metro, name verdict, exit, traffic, node tcp, et tor, known tor, relayrouter, united, team malware, firehol et, tor known, redline, detection list, cisco umbrella, site, safe site, alexa top, million, malicious url, blacklist, phishing, union, team, bank, unsafe, contacted, bundled, project, ransomexx * 85 Subscribers RedLine FileHash-SHA256 Indicator Active * Created 6 months ago by scoreblue * Public * TLP: Green CVE: 3 | FileHash-MD5: 167 | FileHash-SHA1: 117 | FileHash-SHA256: 3178 | URL: 8884 | Domain: 1422 | Email: 2 | Hostname: 3674 record type, ttl value, data, v3 serial, number, issuer, cus cnr3, olet, subject public, key info, key algorithm, key identifier, server, whois lookup, creation date, dnssec, domain name, status, abuse contact, email, registrar abuse, contact phone, date, whois lookups, iana id, domain status, registrar url, registrar whois, first, execution, tsara brashears, ssl certificate, april, threat roundup, october, december, roundup, september, whois record, blustealer, raspberry robin, redline stealer, gopuram, hacktool, skynet, android, quasar, download, malware, hijacker, monitoring, installer, ermac, attack, blackguard, core, awful, twitter, agent tesla, trickbot, ursnif, chaos, metasploit, formbook, metro, name verdict, exit, traffic, node tcp, et tor, known tor, relayrouter, united, team malware, firehol et, tor known, redline, detection list, cisco umbrella, site, safe site, alexa top, million, malicious url, blacklist, phishing, union, team, bank, unsafe, contacted, bundled, project, ransomexx * 86 Subscribers CNC server.telegrafix.com FileHash-SHA256 Indicator Active * Created 7 months ago * Modified 6 months ago by OctoSeek * Public * TLP: Green CVE: 3 | FileHash-MD5: 167 | FileHash-SHA1: 117 | FileHash-SHA256: 3178 | URL: 8884 | Domain: 1422 | Email: 2 | Hostname: 3674 Brute force passwords using SSH on server RELAY Targeted individual, adult content, malvertizing, keylogging, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc. (Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?) record type, ttl value, data, v3 serial, number, issuer, cus cnr3, olet, subject public, key info, key algorithm, key identifier, server, whois lookup, creation date, dnssec, domain name, status, abuse contact, email, registrar abuse, contact phone, date, whois lookups, iana id, domain status, registrar url, registrar whois, first, execution, tsara brashears, ssl certificate, april, threat roundup, october, december, roundup, september, whois record, blustealer, raspberry robin, redline stealer, gopuram, hacktool, skynet, android, quasar, download, malware, hijacker, monitoring, installer, ermac, attack, blackguard, core, awful, twitter, agent tesla, trickbot, ursnif, chaos, metasploit, formbook, metro, name verdict, exit, traffic, node tcp, et tor, known tor, relayrouter, united, team malware, firehol et, tor known, redline, detection list, cisco umbrella, site, safe site, alexa top, million, malicious url, blacklist, phishing, union, team, bank, unsafe, contacted, bundled, project, ransomexx * 130 Subscribers RedLine FileHash-SHA256 Indicator Active * Created 7 months ago * Modified 6 months ago by OctoSeek * Public * TLP: Green CVE: 3 | FileHash-MD5: 167 | FileHash-SHA1: 117 | FileHash-SHA256: 3178 | URL: 8884 | Domain: 1422 | Email: 2 | Hostname: 3674 CNC server.telegrafix.com. Brute force passwords using SSH on server RELAY Targeted individual, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc. (Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?) record type, ttl value, data, v3 serial, number, issuer, cus cnr3, olet, subject public, key info, key algorithm, key identifier, server, whois lookup, creation date, dnssec, domain name, status, abuse contact, email, registrar abuse, contact phone, date, whois lookups, iana id, domain status, registrar url, registrar whois, first, execution, tsara brashears, ssl certificate, april, threat roundup, october, december, roundup, september, whois record, blustealer, raspberry robin, redline stealer, gopuram, hacktool, skynet, android, quasar, download, malware, hijacker, monitoring, installer, ermac, attack, blackguard, core, awful, twitter, agent tesla, trickbot, ursnif, chaos, metasploit, formbook, metro, name verdict, exit, traffic, node tcp, et tor, known tor, relayrouter, united, team malware, firehol et, tor known, redline, detection list, cisco umbrella, site, safe site, alexa top, million, malicious url, blacklist, phishing, union, team, bank, unsafe, contacted, bundled, project, ransomexx * 132 Subscribers CNC server.telegrafix.com FileHash-SHA256 Indicator Active * Created 7 months ago * Modified 6 months ago by scoreblue * Public * TLP: Green CVE: 3 | FileHash-MD5: 167 | FileHash-SHA1: 117 | FileHash-SHA256: 3178 | URL: 8884 | Domain: 1422 | Email: 2 | Hostname: 3674 record type, ttl value, data, v3 serial, number, issuer, cus cnr3, olet, subject public, key info, key algorithm, key identifier, server, whois lookup, creation date, dnssec, domain name, status, abuse contact, email, registrar abuse, contact phone, date, whois lookups, iana id, domain status, registrar url, registrar whois, first, execution, tsara brashears, ssl certificate, april, threat roundup, october, december, roundup, september, whois record, blustealer, raspberry robin, redline stealer, gopuram, hacktool, skynet, android, quasar, download, malware, hijacker, monitoring, installer, ermac, attack, blackguard, core, awful, twitter, agent tesla, trickbot, ursnif, chaos, metasploit, formbook, metro, name verdict, exit, traffic, node tcp, et tor, known tor, relayrouter, united, team malware, firehol et, tor known, redline, detection list, cisco umbrella, site, safe site, alexa top, million, malicious url, blacklist, phishing, union, team, bank, unsafe, contacted, bundled, project, ransomexx * 85 Subscribers CVE:CVE-1999-0095 FileHash-SHA1 Indicator Active * Created 7 months ago * Modified 6 months ago by ellenmmm * Public * TLP: Green CVE: 2 | FileHash-MD5: 2101 | FileHash-SHA1: 2074 | FileHash-SHA256: 10288 | JA3: 1 | URL: 1495 | Domain: 1310 | Email: 31 | Hostname: 1211 An attack on the Sendmail server is being investigated by researchers at the University of California, Los Angeles, as part of the Openwall security project, which aims to identify and prevent cyber-attacks. mlist, scan endpoints, all search, otx ellenmmm, cve cve19990095, files, exploits, targeted, cve overview, sendmail * 45 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 Extremely Robust hacking campaign for a single individual with a small publishing company. Tsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme. IPv4 45.159.189.105 command_and_control URL http://matfyz.cz/ phishing No Expiration URL http://www.craftbychristians.com/wufn/ phishing No Expiration URL https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration https://www.milehighmedia.com/legal/2257 phishing IPv4 20.99.133.109 scanning_host IPv4 218.85.157.99 scanning_host contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 128 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 Extremely Robust hacking campaign for a single individual with a small publishing company. Tsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme. IPv4 45.159.189.105 command_and_control URL http://matfyz.cz/ phishing No Expiration URL http://www.craftbychristians.com/wufn/ phishing No Expiration URL https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration https://www.milehighmedia.com/legal/2257 phishing IPv4 20.99.133.109 scanning_host IPv4 218.85.157.99 scanning_host contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 128 Subscribers Command and Control • Phishing • Hacking • Scanning Host • BotNetwork FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 Extremely Robust hacking campaign for a single individual with a small publishing company. Tsara Brashears targeted individual in command and control , phishing, porn, hacking, etc scheme. IPv4 45.159.189.105 command_and_control URL http://matfyz.cz/ phishing No Expiration URL http://www.craftbychristians.com/wufn/ phishing No Expiration URL https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing No Expiration https://www.milehighmedia.com/legal/2257 phishing IPv4 20.99.133.109 scanning_host IPv4 218.85.157.99 scanning_host contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 129 Subscribers SKYNET FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 128 Subscribers FORMBOOK FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 128 Subscribers Agent Tesla FileHash-SHA256 Indicator Active * Created 9 months ago * Modified 8 months ago by OctoSeek * Public * TLP: Green CVE: 1 | FileHash-MD5: 65 | FileHash-SHA1: 66 | FileHash-SHA256: 2906 | URL: 6938 | Domain: 1727 | Email: 1 | Hostname: 1675 contacted, threat roundup, whois record, execution, october, april, whois whois, december, march, tsara brashears, copy, core, hacktool, emotet, goldbackdoor, attack, metro, nanocore, remcos, qakbot, download, malware, hijacker, monitoring, skynet, contacted urls, ssl certificate, historical ssl, august, formbook, agent tesla, korplug, relic, colibri loader * 130 Subscribers DynamicRAT — A full-fledged Java Rat FileHash-SHA256 Indicator Active * Created 12 months ago * Modified 11 months ago by @Gi7w0rm * Public * TLP: White FileHash-SHA256: 21 | URL: 4 | Domain: 1 | Hostname: 6 A new found Java-based RAT that uses tax-based lures to infect victims. download, server, c2 server, server http, DynamicRAT, java * 38 Subscribers Malware Bazar 2 FileHash-SHA256 Indicator Active * Created 1 year ago by LoveAndren * Public * TLP: White FileHash-MD5: 9296 | FileHash-SHA1: 9296 | FileHash-SHA256: 48255 * 20 Subscribers Malware Hashes FileHash-SHA1 Indicator Active * Created 2 years ago by bluewatcher * Public * TLP: White FileHash-MD5: 1795 | FileHash-SHA1: 1795 | FileHash-SHA256: 11962 malwarebazaar, number, sha1, sha256, virusdeck, clipper, bokbot, iceid, icedid, geodo, heodo, cryptolaemus1, royalroad, dropper, shaoye, moqhao * 86 Subscribers Integrations can be added from the Settings page, which can be found by clicking on the at the top right of the main menu when logged in to OTX. COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2024 LevelBlue, Inc. * Legal * Status