IPMediumSignal 26/100
176.122.125.40
Location
UkraineKalynivka, 23
ASN
AS50581
Ukraine telecommunication group Ltd
First Seen
Dec 5, 2021
Last Seen
Jun 12, 2026
Found in 5 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
26%
Signal Score
26 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUkraine
UkraineRegionKalynivka, 23
ASNAS50581
OrganizationUkraine telecommunication group Ltd
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
5 reports26% confidence
5
Source reports
26%
Confidence score
Category tags
.plaaaaabuseacademic institutionsacceptaccessaccess controlaccess ta0001access ta0006account compromiseaccount discoveryaccount hijackingaccount profilingaccount securityaccount takeoveracintactiveactive relatedactive scanactive scanningactive threatsactivity miraiadded activeaddressaddress domainadloadadwareadware malwareaerospace & defenseafricaag albertoag ingoagentagent teslaair forceakamaiasn1albertaalbertandpalertsalexaalexa topalienvault_ransomwareall filehashall ipv4all octoseekall quietall rightsall scoreblueall searchamadeyamazonameramerica asnanalysis dateanalyzeanalyze createdanalyzer pasteanchor hrefsandarielandroidanguillaanomalous fileantiguaapeaksoft iosapi blogapnicapnic whoisappleapple hackingapple iosapple phoneapple privateapplication developmentarchiveartemisartroarubaas35994 akamaias64521iascii textasiaasia pacificasnoneasnone dnsasnone germanyasnone relatedasnone unitedassign functionasyncratattackattorneyaustraliaaustriaauthor avatarauthorityautoav detectionsavast avgavg clamavawfulaylo premiumazorultbabarbackdoorbad actorbad reputationbankbank securitybankerbankingbarbadosbasicbazaloaderbe misleadingbeach researchbeaconbear sharebearshar databehavbelgiumbgpbinary filebinderbing adsbiosbirdbitratbitsblacklist httpblacklist httpsblisterbloodbodybody lengthbombboomr functionboomrmq stringborland delphibot networksbotname httpbotnetbotnet activitybotnetworkbotsbrazilbreast cancerbrianbrian sabeybrochure urlbrontokbrother sabeybrute forcebundledbusiness impersonationbuttonbypassc decc marc2c2 antianalysisc2 checkinc2 raccoonca validcabbycallback functioncanadacanada unknowncapacapecapturecarries http referercatalog treechaoscharter communicationscheckcheckincheckin m1chi2chilechinachina telecomchina unknownchromecisco umbrellacity cupertinocivil servicescivil societyck idck idsck matrixck techniquescl0pclasscleanerclickclick-based attackclickable urlsclient authclosecloudcloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecnamecnapple publiccnc beaconcnc servercnnicco numbercobalt strikecodecode executioncode injectioncolumncom laudecommandcommand & controlcommand and controlcommand executioncommand scriptingcommand_and_controlcommands graphcommunication protocolcommunication technologiescommunity httpscompany limitedcomspecconduitconhostconnectcontactcontacted urlscontent lengthcontent typecontrol servercontrol ta0011cookiecopycopy md5copy sha1copy sha256copyright ccorecorpcorporate lawcosta ricacount blacklistcountrycountry uscovid19cp buscpm funcpm networkcreation datecreation_of_an_executable_by_an_executablecredential accesscredential brute forcecredential harvestingcredential stuffingcredential theftcredit card servicescritical riskcrypcryptcryptocurrencycryptocurrency threatscryptojackingcryptorcrypttcsc corporatecur conocuraçaocus cndigicertcus cnmicrosoftcutwailcyber crimecyber defensecyber folkscyber stalkingcyber threatcyber warfareczechia unknowndahua backdoor attemptdangerdapatodarkdark powerdarkwatchmandatadata accessdata cdata collectiondata copyingdata encryptiondata exfiltrationdata redacteddata store exposuredata transferdb d2dcerpc protocoldded activeddosddos attacksde d3de indicatorsdecodeded activedeepscandefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydeletedelete cdelete shadowsdelphidelphi genericdemonbotdenied trackersdenverdenver coloradodetected m1detection listdetections dnsdetections typedevelopment methodologiesdevopsdigicert globaldigital signaturedinkle threatdirectory permidiscovery e1082displaynamedistributed attacksdistribution managementdiv divdive domainsdnsdns attackdnspionagednssecdockdocs pricingdoctypedomaindomains domaindos exedos executabledownerdownldrdownload csvdownloaderdroppeddropperdtamlbdynadotdynadot incdynamicloadere1203 datae1564 hiddenecho requestecho responseeducational resourceseducational serviceseducational technologyee edcje4jekyxeelderlyelectronic health recordself collectionemailsemails infoemotetempty hashencoderencpkencryptencryptionenergyenergy distributionengineeringenglish usenigmaenomenterprise securityentityentriesentries peenumerateenv crawlereofaeerroret exploitet toretpro malwareetpro trojaneurodns saeuropeeurope/asiaevasion ob0006excelexe32executable fileexitexpirationexpiration dateexpires thuexploitexploit noneexploit sourceexploitationexploitation activityexportextortionf rlf3 e1facebook linkfactoryfailed_code_integrity_checksfakedout threatfalconfalcon sandboxfalsefamilyfareitfastlyfederation asnfeeds iocfeodoffssfilefilerepmalwarefilesfiles domainfiles ipfiles locationfiles matchingfiles showfin ivdofinal urlfinancefinancial institutionfinancial servicesfinancial technologyfinlandfirefoxfireholfirstflag unitedfloxiffooterfor privacyformformatforumfoundfrancefraudfraud servicesfreight forwardingfri junfusioncoreg2 tlsgafgytgandcrab dnsgandi sasgbdyllogeckogeneral fullgeneratorgenericgeneric malwaregeneric windosgenpackgermanygermany as8560get h2get nagetcursor getdcgithubglobalnpfgmbh versiongns3googlegoogle safegootloadergovernment relationsgovernment technologygraphgraph communitygrumgti9158guardguatemalahackershall renderhallrender.com/attorney/brian-sabeyhashhasheshashes capeheader intelheadersheaders dateheaders nelhealth care and social assistancehealth information technologyhealth phonehealthcare information systemshelloworldhelperheodoheurhichinahide artifactshighhigh processhigh securityhigher educationhighest schighly targetedhilohistoricalhistorical sslhitmenholidaycheck aghome networkhome pghondurashong konghospital managementhosthostinghostnamehostname enumerationhours agohrefshsbchstrhtmlhtml documenthtml infohttphttp attackhttp brute forcehttp headershttp hosthttp requesthttp responsehttp scannerhttpshuawei hg532huawei remotehungaryhybridhypervicann whoisicmpicmp trafficicmpv4 protocolico rtgroupiconicons libraryidentity & access exploitationidentity theftidsids detectionsiframeii llcillegalimacimage exploitationimmobilien agimpact ob0008impact ta0040inboundindicatorindonesiainfinite loopinfoinfo compilerinfo headerinfo modifyinformation gatheringinformation stealerinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectinjectioninjection activityinjection t1055innova coinputinput validation bypassinstallinstall systeminstallers wellinstancesintelintel macintellectual property lawinternet domaininternet of thingsinventory managementiobitiocsiosiot botnetiot securityiot/ics attackiphoneipv4ipv4 addirelandireland unknownis__elfissuerissuer thawteissuing cait infrastructureitunesja3sjapanjapan unknownjavajavascript luxjpeg imagejson datajson ipjul jank augk octk-12 educationkdekeepalivedkenyakey algorithmkey identifierkeygenkeyloggerkgs0kgso activitykhtmlkidney cancerkimsukykls0klso activityknown torkong asnkraupakuaizipkurt waltherlabellabs pulseslaplasclipperlaw practicelayer protocollcc linkerlearnlegacylegal consultinglegal researchlegal serviceslegal technologylengthless seelevellevel3libellicesslightlink librarylink urllinkedin linklinuxlivelyliver cancerlnmplnmp aloaderlocallockbitlogicloginlogistics technologylogoslolkeklooklookuplovgatelowfilsmeta functionltd dbalukelumma stealerlung cancerm1m2 ms17010macros sneakymadagascarmagic pdfmail spammermainmalicious activitymalicious downloadmalicious hostmalicious idsmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious url repositorymalwaremalware distributionmalware droppermalware genericmalware huntingmalware signingmalware sitemalware trafficmalware typemalware wormmarkmark sabeymarkmonitormarkusmatches rulemaui ransomwaremediamedia centermedical centermedical servicesmediummemory patternmemscanmetameta namemeta tagsmetadata analysismetastealermeterpretermethod statusmetromexicomile highmilesmxmilitary operationsmillionminerminiigd upnpmiraimirai botnetmirai variantmisc attackmitmmitremitre attmobilemobile carriersmobile networksmobile securitymobile threatmodelmodify registrymodule loadmofksysmonitoringmoroccomovedmozillams visualms windowsms17010 echomsdefender aprmsdefender febmsiemulti-cloud managementmusicnamename domainname md5name serversname tacticsname verdictnamecheap incnanjingnanocore ratnat nodenation-state activitynational securitynemucodneojitnetherlandsnetworknetwork reconnaissancenetwork scanningnetwormnextnext associatednidsnircmdnjratno datano entriesno expirationnode tcpnode trafficnode udpnoname057nondnsnone filenone relatednorth americanortonnotepadnsisnumbernymaimo tiresob0005 defenseoccamyoceaniaodigicert incoil & gasollydbgopenopeniocoperating systemoperating system securityor incompleteorg appleorigin1otx logootx octoseekotx scoreblueotx_pulsedoverlayoverview domainoverview ipovn networkp2404packed executablepacking t1045parent domainparispassive dnspasswordpassword bypasspastepatchpatch managementpatcherpathpath traversalpatient carepattern domainspattern matchpayload hellopayment processingpayment securitypayment system attackpaypalpcappdb pathpdf documentpdf executionpdf reportpe filepe resourcepe32 compilerpe32 executablepe32 installerpe32 linkerpe32 packerpedrazpegasuspegasus associated urlperforms dnsperupetitephiphilippinesphishphishingphishing attackphishing chasephishing intelligencephishing sitephone callphy samophysical threatpiipleaseplugxpolandpoland unknownponyporkbun llcpornpornhubportpostpower generationpower systemspowershellpowershell_create_scheduledpragmapredatorpremiumpresent aprpresent julpresent marpresent novprimary rootprivateloaderprobeprobe ms17010problemprocessprocess injectionprocess32nextwprocesses treeproduct developmentproducts idprojectproject piprometheusprostate cancerprotocol h2protocol t1071proxypsexecpublic administrationpublic infrastructurepublic policypulse httppulse pulsespulse submitpulsespulses nonepulses urlpuma sepushpykspapython_initiated-connectionqakbotqbotquality assurancequantum fiberquasarquasar ratquasiqueryraccoonramnitransomransomexxransomwareratrat trojanrcmprcmp abrcmp kelownaread creads selfrealtek sdkreconnaissancerecord keepingrecord typerecord valuerecycle binredacted forredirectorredlineredline stealerrefreshregistry keysregulatory agenciesregulatory compliancerelated nidsrelated pulsesrelated tagsrelicremcosremcos trojanremoteremote accessremote access trojanremote attacksremote cncremote servicesrenderrenewable energyreport spamresearchedresolverrorresource hashresource hijackingrestartrevenge ratreverse dnsrmsrole titleroot carootsroundrounduprpcsrsa sha256rsa tlsrsdsrticon englishrticon neutralrussiarussia unknownrussian federationsabeysafe sitesalitysample appearssamplessamuel tulachsandboxsarcomascams & fraudscan endpointsscanning hostscreen capturescriptscript domainsscript urlsscripting attacksscripting intesea altsearchsearch livesecrisksecurity operationssecurity policysecurity tlssegoe uiselfseraphserce internetuserverserver caserver errorserversserviceservice bsservice privacyserving ipsetup stubsha2 secureshadowshared modulesshellshell codeshell commandsshellcodeshipping servicesshop tiresshowshow techniqueshowingsiblings domainsides withsiendownloadersimda httpsingaporesinkhole cookiesint maarten (dutch part)sitesite safesite topsizeskin cancerslcc2slovakiasmlbsoap commandsocial engineeringsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware integritysoftware testingsoftware vulnerabilitiessong culturesouth americaspainspamspammerspanspawnsspoofsspy cvespyrixkeyloggerspywaresrsplusssdeepssdpssl certificatestalkerstatestatusstatus codestatus pagestealerstixstolec kradniestopstreamstringssubjectsubject keysummarysummary iocssupply chain attacksupply chain managementsuspsweepswipperswisynswitch dnsswrortsystemsystem disruptionsystembc_linux_variantt whoist1003t1003.008t1005t1011t1012t1016t1021t1021.001t1023t1027t1029t1030t1031t1036t1040t1041t1045t1046 sendst1047t1053t1055t1056t1056.001t1057t1059t1059 acceptt1059.001t1059.003t1059.007t1060t1063t1064t1068t1069t1069.001t1071t1071.001t1071.002t1071.003t1071.004t1078t1082t1086t1088t1089t1094t1095t1105t1106t1110t1110.002t1112t1113t1114t1119t1129t1133t1140t1143t1144t1155t1158t1183t1189t1189 foundt1190t1192t1203t1204t1204.001t1204.002t1210t1213t1222t1480t1485t1486t1490t1496t1497t1499.001t1499.002t1499.003t1547t1553t1554.001t1554.003t1560t1562t1564t1565t1566t1566.001t1566.002t1566.003t1567t1567.001t1569.002t1573t1583t1583.002t1584.003t1584.005t1587.001t1589t1589.001t1590.001t1595t1595.001t1595.002t1595.003ta0002 commandta0007 networktag counttag managertagstags nonetaiwantargettargetstargets sateamteam malwareteams apitechniques nonetelecomtelecom servicestelecommunicationstelustempthailandthisthreatthreat actorthreat analyzerthreat intelligencethreat preventionthreat reportthreat roundupthreats ettiggretimo salzsiedertirestires languagetitletitle accesstitle addedtitle shoptld counttls snitls/ssl crawlertmobile metrotofseetokyotoolstor exittor knowntor nodetor relayroutertor roletotaltptjswtrackertraffictransportation managementtreetrickbottrid adobetriggertrinidad and tobagotrojantrojan featurestrojan malwaretrojan.cryptedtrojanclickertrojandroppertrojanspytrojanxtrue defensetrusttsaratsara brashearsttl valuetulachtwittertypetype gettype indicatortype nametype typetzw variantsu4e0bualbertaubotukraineukraine unknownunauthorizedunauthorized accessunicode textunionunitedunited kingdomunited statesunruyunsafeunsafeevalupdate checkerupdated dateurlhttpurlmailtourlsurls httpurls httpsurls showurls urlursnifusageuse collectionuseruser activityuser agentuser executionusersuss cusvwusvwuutc googleutc submissionsutf8 textuztubyv3 serialvalidvalid usagevaluevalue snkzvendovercelverifyvhashvidarvietnamvirgin islandsvirgin islands, u.s.virtoolvirtual mobilevirtual privatevirtual serversvirusvirus networkvirutvitzovt graphvulnerability scanw englishwacatacwannacrywannacry killwannacryptwarehouse operationswealth managementweb application attackweb application exploitationweb exploitationweb gatewayweb securityweb trafficwheels onlinewhoiswhois databasewhois parentwhois recordwhois registrarwhois whoiswin16 newin32 dllwin32 dynamicwin32 exewin32 malwarewin32.pdf.alienwin32/searchsuitewin32upatre janwindirwindowwindowswindows malwarewindows ntwiperworkerworldwormwritewrite cwrite processwsasendx cachex509v3 keyxe exordataxportxratxserverxtratyarayara detectionsyara ruleyomi hunterzbotzenboxzeuszpevdozusy
Activity Timeline
Jun 12Jun 12
Threat Activity Heatmap
· Peak: 2026-06-12LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
26
SIGNAL
Signal Score
26%
Confidence
5
Reports
First seenDec 5, 2021
Last seenJun 12, 2026
GeolocationUA
CountryUkraine
LocationKalynivka, 23
ASNAS50581
OrgUkraine telecommunication group Ltd
Coords47.3900, 34.9932
Proxy
VirusTotal
Not checked
WHOIS
- description
- Interesting. Further research required. https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\xfff0\\xff9f\\xff9f\\xffa2+New+Worker+Online%0A\\xfff0\\xff9f\\xff92\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\xfff0\\xff9f\\xff91\\xffa4+User:+alien%0A\\xfff0\\xff9f\\xff8c\\xff90+IP:+Sweden%0A\\xfff0\\xff9f\\xff97\\xffba+Country:+SE+
- raw
- inetnum: 176.122.96.0 - 176.122.127.255 netname: UTELCOMNET country: UA org: ORG-UTGL1-RIPE admin-c: UN1580-RIPE tech-c: UN1580-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: UTELECOMUA-MNT mnt-routes: UTELECOMUA-MNT mnt-domains: UTELECOMUA-MNT created: 2012-07-12T08:47:03Z last-modified: 2019-07-08T09:49:14Z source: RIPE # Filtered organisation: ORG-UTGL1-RIPE org-name: Ukrainian Telecommunication Group LLC country: UA org-type: LIR address: vul. Tsentralna, 57 address: 08623 address: Kalynivka address: UKRAINE phone: +380443539450 admin-c: SI4106-RIPE tech-c: SL13147-RIPE abuse-c: AR53327-RIPE mnt-ref: mnt-ua-utg-1 mnt-by: RIPE-NCC-HM-MNT mnt-by: mnt-ua-utg-1 created: 2019-06-20T06:57:44Z last-modified: 2021-01-25T14:55:15Z source: RIPE # Filtered role: UTG NCC remarks: UTG LLC Network Coordination Center address: Ukrainian Telecommunication Group LLC address: vul. Tsentralna, 57 address: Kalynivka address: Vasylkivskyi raion address: Kyivska obl. address: 08623 Ukraine phone: +380443609929 abuse-mailbox: [email protected] remarks: http://utelecom.com.ua remarks: Abuse : [email protected] remarks: Routing : [email protected] remarks: Peering : [email protected] remarks: Sales : [email protected] admin-c: SI1319-ripe tech-c: VNH3-RIPE tech-c: VR3125-RIPE tech-c: SL10980-RIPE nic-hdl: UN1580-RIPE mnt-by: UTELECOMUA-MNT created: 2015-12-09T21:29:37Z last-modified: 2022-10-27T11:07:10Z source: RIPE # Filtered route: 176.122.125.0/24 descr: Ukraine telecommunication group Ltd. origin: AS50581 mnt-by: UTELECOMUA-MNT created: 2013-11-22T10:25:10Z last-modified: 2013-11-22T10:25:10Z source: RIPE
- references
- DISTINCTIO8.pdf, FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string, IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set, Tofsee: 'google.com' | https://www.gov50.icu |, ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...), Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk, Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing, hubt.pornhub.com | www.pornhub.com | pornative.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/, www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/, Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da, IDS Detections: WGET Command Specifying Output in HTTP Headers, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution, Yara Detections: is__elf , DemonBot, Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout, FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, IDS Detections: Andariel Backdoor Activity (Checkin), Alerts: dead_host nids_malware_alert network_icmp nolookup_communication, DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2, IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST, IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy, http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com, apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com, autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com, * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit, https://tulach.cc/ | tulach.cc |, http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com, google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl, 18teen.net | teensnow.com | grannies-porn.net | pornmd.com, www.pornhubselect.com | pornhub.software, https://www.virustotal.com/graph/ga6e62d16f48f4ccba8be6085e739c5d34fed0fe82fc84581bd52e069b01e39c2, https://viz.greynoise.io/analysis/2348c949-353d-4f1c-ab66-e47f3f, https://www.virustotal.com/graph/g53eeafa064e14e1caffad3eb23974212d91ce50ce5804b5c9fd834618343232d, https://www.virustotal.com/graph/g46b1e5c6cea64aa796531f4579c9915376351252d67548e09fd604f667026703, Samas Ransomware - cryptt.exe, http://acapple.com/ related iOS compromise, Ransomware: cryptt.exe -FileHash-SHA256 0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677, Ransomware: cryptt.exe -FileHash-SHA1 f8f553ac79798f6314a71f2cf03740168aaa0bc3, Ransomware: cryptt.exe - FileHash-MD5 567f82ed3e31ba5dc3fe2324533f5336, https://www.virustotal.com/gui/file/0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677/behavior, https://otx.alienvault.com/indicator/file/0017212ae957ddaeabd210b383bde851a5a6c97dd64bab031c21af0633807f63, IDS Detections: Samas Ransom CnC Beacon TLS Handshake Failure, Yara Detections: Themida_2xx, Alerts: process_interest injection_runpe network_icmp dumped_buffer2 allocates_execute_remote_process allocates_rwx antidbg_devices, Alerts: antidbg_windows antivm_generic_bios injection_write_memory injection_write_memory_exe injection_ntsetcontextthr, Alerts: ead injection_resumethread antivm_vbox_keys antivm_vmware_in_instruction antiemu_wine dumped_buffer network_http protection_rx packer_entropy, Samas Ransomware: FileHash-SHA256 02479a28af6e9b3ec354bda50f8bc644f776c1569b6fe5ceed6349e6eca73e63, Samas Ransomware: FileHash-SHA256 0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677, Samas Ransomware: FileHash-SHA256 0017212ae957ddaeabd210b383bde851a5a6c97dd64bab031c21af0633807f63, Samas Ransomware: FileHash-SHA1 f8f553ac79798f6314a71f2cf03740168aaa0bc3, Samas Ransomware: FileHash-SHA1 9daf8188c3976623c3cb8c9806bd74269f96492c, Samas Ransomware: FileHash-SHA1 3378d3807bce8e9ce9ad74bf2bd0d7b055043507, Samas Ransomware: FileHash-MD5 e3d88f1620ece9a2c7c729e43bc32c72, Samas Ransomware: FileHash-MD5 567f82ed3e31ba5dc3fe2324533f5336, Malware Hosting: 185.199.108.133 • 185.199.109.133 • 185.199.110.133 • 185.199.111.133, http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html, http://acapple.com/, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://otx.alienvault.com/indicator/file/0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677 (https://www.cypter.com), https://otx.alienvault.com/otxapi/indicators/file/screenshot/0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677, cryptt.exe: FileHash-SHA256 0024e50077f183f60d408cfbe776dc1e1a0469793ffb538007147dda55aaf677, https://www.att.com/ [has a medium risk GandCrab ransomware attack], 192.168.0.25 [Network Router Admin Login to wireless routers], http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware • service modification • data collection of private citizen], m.greatcall.com - Lively phone user/ [fraud/modified services/ spyware • listens to call or activities of affected], http://m.greatcall.com/android/link/1.9/metadata/images/720x1280/resources.json [ spyware • agent may view, modify, add or delete device images], https://www.greatcall.com/MemberSection/mobileapps/fivestarlandingpage [spyware • members can hear phone calls and personal conversations & behavior of affected], facebooksunglassshop.com - Pegasus type tool [spyware data collection], images.ctfassets.net [data collection of citizen], 114.114.114.114 - Tulach Malware, CS Yara Rules: SUSP_RANSOMWARE_Indicator_Jul20 from ruleset crime_ransom_generic by Florian Roth (Nextron Systems), CS Yara Rules: Gandcrab from ruleset Gandcrab by kevoreilly, inbound.mail.truedefense.com = Hacker. Receives inbound mail if target/targets, https://www.pornhub.com/video/search?search=tsara+brashears [API • iOS password decryption], Unauthorized modification of a 'Lively' Jitterbug Phone to Verizon service, https://bat.bing.com/action/0?ti=18003891&Ver=2&mid=d698ee97-c6e1-4285-a48a-9d8a49e51f5d&sid=426b3c30cca411ee907ded2ff69dbac6&vid=4, https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [spyware •data collection through media • similar to Pegasus behavior], http://www.robinsoftware.com/youtube-video-downloader/update.xml [malicious software • pornhub downloader], https://otx.alienvault.com/indicator/file/00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32 [gandcrab .bit • DNS check • loader], ttp://nomoreransom.coin/ [method • user agent], tox.chat [moved • nginx • instant messaging platform], Cobalt Strike | 3.12.49.0 | Amazon 02, uversecentral3.att.com [decode cookie • unlock], http://xred.site50.net/syn/Synaptics.rar [ malicious • spyware and malware], Mitre Capabilities: Host-Interaction • Data-Manipulation • Anti-Analysis Linking • Load-Code Executable, https://www.esurance.com/, https://www.malwarebytes.com/emotet, https://www.att.com/ [suffered a medium risk GandCrab ransomware attack] I guess they don't know., identity_helper.exe" loaded module "%WINDIR%\System32\bcrypt.dll" at 73470000, www.historykillerpro.com, https://otx.alienvault.com/indicator/hostname/ww25.historykillerpro.com, http://sniper.debugger.ru, Remote sharing: https://otx.alienvault.com/otxapi/indicators/file/screenshot/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7, Inject & attack: https://otx.alienvault.com/indicator/file/dd846d74613d6285125886d35abb1bd261a5fc1b6bc0ba6e28e881f73dba23b7, M. Brian Sabey Hall Render , Denver, Co | Frankfurt, Germany, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan, https://www.crccolorado.com/, https://www.hybrid-analysis.com/sample/6e6e4b61b6c658dafe9b59b235d13d12eaa955c719720529b44d530c83032a8a/65bff4553336954b380dbba5, https://www.malwarebytes.com/trickbot, Potential E-Mail address found in binary/memory, "[email protected]" | "[email protected]" | "[email protected]"| "[email protected]" | "[email protected]", https://static.wixstatic.com/media/fe5868_7bec5131ba084565b6999f47dafd9737.png/v1/fill/w_180%2Ch_180%2Clg_1%2Cusm_0.66_1.00_0.01/fe5868_7bec5131ba084565b6999f47dafd9737.png ["apple touch icon"], slice.call, object.prototype.hasownproperty.call, rock.mit-license.org [pattern match], https://www.google.com/intl/en/chrome/" Pattern match: "https://static.parastorage.com/services/wix-thunderbolt/dist/originTrials.41d7301a.bundle.min.js.map [network], https://static.parastorage.com/services/editor-elements-library/dist/thunderbolt/rb_wixui.thunderbolt[VerticalLine_ClassicVerticalSolidLine].67fb182e.min.css, https://static.parastorage.com/services/wix-thunderbolt/dist/main.c1956e3f.min.css [device-mo], camsadultsgetwet.com, firecams.com, window.fedops.data, http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+, CS IDS Rules: PROTOCOL-ICMP Destination Unreachable Host Unreachable, CS IDS Rules: DS rules HIGH - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses Matches rule ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt Unique rule identifier: This rule belongs to a private collection., CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst, CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt, https://www.instagram.com/unipegasus_infotech_solutions/?hl=en (dang), cellebrite.com | enterprise.cellebrite.com, http://pegasus.diskel.co.uk/ | china.pegasus-idc.com | imap.pegasustech.ne, deviceinbox.com, 671425187f3ec0da502d2e6b760de93661c1cf5381f81d21c64c6015fbcde2b3, c1a99e3bde9bad27e463c32b96311312.virus, CS Yara rule:WannaCry_Ransomware from ruleset crime_wannacry by Florian Roth (Nextron Systems) (with the help of binar.ly), CS Yara rule:SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde), CS IDS rule: (icmp4) ICMP destination unreachable communication administratively prohibited, CS IDS rule: (port_scan) TCP filtered portsweep, CS IDS rule: (stream_tcp) data sent on stream after TCP reset received, CS IDS rule: ET DROP Spamhaus DROP Listed Traffic Inbound group 14, CS Sigma Rule: Creation of an Executable by an Executable by frack113, Trojan:Win32/WannaCry.350, https://www.sweetheartvideo.com/tsara-brashears/ [Bot Network], angebot.staude.de, https://otx.alienvault.com/indicator/file/1b7a83a7a35418afa60e88eabcb9fd5a8689700bba20dadb5fbad4e197ce1f1e, https://cura360.com/foldawheel-phoenix-fully-powered-standing-wheelchair?utm_source=google&utm_medium=PLA&gad_source=1&gclid=EAIaIQobChMIw92wtdnigwMVhV9HAR126wDrEAQYASABEgJ_aPD_BwE, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://www.sweetheartvideo.com/tsara-brashears/, https://pin.it/ [Pinterest BotNetwork for Pegasus], http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/xetetorobezaj.pdf [redirect] http://joshuajenkinslaw.com/uploads/1/3/0/6/130639888/, tulach.cc [Adversarial Malware Attack Source], http://1.116.132.182/weblogic_CVE_2020_2551.jar, init-p01st.push.apple.com, newrelic.se [Apple Collection], apple-dns.net. [Apple email collection], apple.com [=vaccine.com / negative http or https - insecure, malicious], nr-data.net [ Hidden private Apple data collection], http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag], www.metrobyt-mobile.com. [s3.amazonnaws.com Apple], https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread., https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising], https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter, 114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge], mobile.twitter.com [titled hashtag Daisy Coleman], http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link], 12 CVE exploits posted in 'scoreblue' CVE tally, Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!, https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017, https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=, Above Assurant link. [ Hidden privacy threats,,Transactional campaign, https://pin.it/ [SQLi Dumper], https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt, msftconnecttest.com, ncsi-geo.trafficmanager.net =analytics.tresensa.com, https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices], 104.200.22.130 Command and Control, aig.com, https://github-cloud.s3.amazonaws.com [DNS prefetch], [email protected] [Investigation of alleged victims?], 103.224.212.34 scanning_host, 0-1.duckdns.org [malicious], https://www.virustotal.com/gui/url/76b30b054701dd52394b91dd11937fefc8888994ee214f02d22ebc2c8cb7e057/summary, CVE-2017-0147, https://otx.alienvault.com/indicator/cve/CVE-2017-0147, https://www.virustotal.com/gui/url/9fa23b2600cf067195442b801633ec4e67e17d0b0e807561cd6001808a8930bf/summary, Targeting, tsarabrashears.com, https://pin.it/ malicious Pinterest redirect targets Tsara Brashears, sweetheartvideo.com, https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign], www.dead-speak.com, Certificate Subject CN=brazzerspesonals.com, http://r3.o.lencr.org, 156.254.243.90 [cnc] Unix.Trojan.Mirai-6981169-0, Mirai: a90557a4165401091b1d8d0132465170475508f810e7a5c7f585c17c2120447 ELF:DDoS-S\ [Trj], 104.247.75.218 | [cnc ], www.governmentattic.org [privilege: malicious malware downloading], https://www.adultforce.com/ [malvertizing Tsara Brashears], https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc, rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru [phishing] SongCulture.comm& YouTube redirected by hacker, https://hybrid-analysis.com/sample/3f1b1621818b3cfef7c58d8c3e382932a5a817579dffe8fbefc4cf6fdb8fc21d, https://www.virustotal.com/gui/url/4657cd9117ad26288f2af98767de164d9af64e9c22e3eda9580766688ec38652/community, https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/,, https://twitter.com/sheriffspurlock?lang=en, https://hybrid-analysis.com/sample/a728fc352e13fa39c7490ddcfff86b0919b3de6ea5786cf48b22095e0607bde9/6593b386f70b45c7c70419c8, http://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru, nr-data.net [Apple Private Data Collection], init.ess.apple.com [backdoor, malicious script, access via media], https://stackabuse.com/assets/images/apple, https://apple.find-tracking.us/?id=jit./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./error./err, location-icloud.com, https://www.sweetheartvideo.com/tsara-brashears/ [Tracking| Botnet Campaign], mailtrack.io [tracking VirusTotal graphs, link trace back], http://rawlucky.com/submit/prizepicker/iq?devicemodel=iPhone&carrier=®ion=Baghdad&brand=Apple&browser=AlohaBrowserMobile&prize=300k&u=track.bawiwia.com&isp=EarthlinkTelecommunicationsEquipmentTradingServicesDmcc&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=IQ&click_id=woot0oed65crk85u2oe4vubu&partner=2423996&skip=yes, https://aheadofthegame.uk/about?utm_campaign=You%E2%80%99re%20nearly%20there!&utm_medium=email&utm_source=Eloqua&elqTrackId=e6385dd142e445f48aa17b4544780841&elq=0db2557254194121b23f3bec84f42097&elqaid=4059&elqat=1&elqCampaignId=, https://pin.it/ [faux Pinterest for TB], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS Password Cracker [, 114.114.114.114 [ Tulach Malware IP], 13.107.136.8 [ Tulach Malware IP redirect], http://114.114.114.114:9421/proxycontrolwarn/ [Tulach cnc | probe], http://114.114.114.114/d?dn=sinastorage.com [ storage of targeted individuals on and offline Behavior], http://114.114.114.114:7777/c/msdownload/update/others/2022/01/29136388_, http://114.114.114.114/ipw.ps1, 194.245.148.189 [CnC], https://stackabuse.com/generating-command-line-interfaces-cli-with-fire-in-python/, http://109.206.241.129/666bins/666.mpsl, http://designspaceblog.com/?mystique=jquery_init&ver=2.4.2, 143.244.50.213 |169.150.249.162 [malware_hosting], http://watchhers.net/index.php [malware spreader], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration 0 Domain twitter.com No Expiration 0 Hostname www.pornhub.com No Expiration 0 URL https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 No Expiration 0 URL, xred.mooo.com [pornhub trojan], https://twitter.com/PORNO_SEXYBABES [ malvertizing, contextualizing, malicious], http://45.159.189.105/bot/online?key=7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e&guid=DESKTOP-B0T93D6\george, https://otx.alienvault.com/indicator/url/https://www.hostinger.com/?REFERRALCODE=1ROCKY77 [ DGA parking], https://hallrender.com/attorney/brian-sabey, https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad, https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app), https://www.hallrender.com/attorney/brian-sabey/#breadcrumb, 192.124.249.53:80, hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group), https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears), https://www.hallrender.com/professional/kathy-l-thurston/ (phishing), https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting), https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting), Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source), http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks), 114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law), rp.dudaran2.com [routerlogin.net to safebae.org], vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed], https://1.1.1.1/login.html [login access to Brashears' Warp if applicable], http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378, https://poemhunter.com/tsara-brashears/, https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel], http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering), https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd, government.westlaw.com, web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide ), safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic, west-sca.duckdns.org, us-west-2.es.amazonaws.com (pslicorp), hero9780.duckdns.org ( government.westlaw.com/house of mo), https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb "t" threat, reported, dismissed), http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears), www.hallrender.com (malware hosting), https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary), www42.jhonisdead.com, alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey), https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww ), https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. ), https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female), www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging), poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking), fakecelebporno.com, batchcourtexpressservicesqa.westlaw.com, batchpublicrecords.westlaw.com, apple-aqo.com (1 DNSPod.net), http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool →init.ess.apple.com/Web0), c.oooooooooo.ga (c.apple.com cdn), https://www.anyxxxtube.net/media/favicon/apple, init.ess.apple.com ( Code Script • MortalK), 34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg., https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie), 000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection), https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service], https://www.hallrender.com/attorney/brian-sabey
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 years ago · Last seen 12 days ago
Appeared in 5 threat reports