[{"reference": ["https://twitter.com/phishunt_io/status/1558998765939441665/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["199.34.228.53"], "domain": ["pemulihan-facebook08.weebly.com"], "url": ["pemulihan-facebook08.weebly.com/verifikasi.html"], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /pemulihan-facebook08.weebly.com/verifikasi.html\n\ud83d\udea9 199.34.228.53\n\u2601 WEEBLY\n\ud83d\udd12 DigiCert TLS RSA SHA256 2020 CA1 https://twitter.com/phishunt_io/status/1558998765939441665/photo/1", "id": "1558998765939441665", "retweets": 1, "link": "https://twitter.com/phishunt_io/status/1558998765939441665", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1660529245000}, "timestamp": 1660554445}}, {"reference": ["https://labs.inquest.net/dfi/hash/408adf52ce66d64212c303ec9df03d03c8f354dc6ff5f89b1ba63d94f177b41e"], "md5": [], "sha1": [], "sha256": ["25af1a0350f10d92568969f9dc2ab5e162f02614ff5cc231e7e638f4d2571927", "408adf52ce66d64212c303ec9df03d03c8f354dc6ff5f89b1ba63d94f177b41e"], "mail": [], "ip": ["107.172.75.169"], "domain": ["jmcglone.com"], "url": ["107.172.75.169/hp/236.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@107.172.75.169/hp/236.doc\nSHA256: 25af1a0350f10d92568969f9dc2ab5e162f02614ff5cc231e7e638f4d2571927\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/408adf52ce66d64212c303ec9df03d03c8f354dc6ff5f89b1ba63d94f177b41e\n\n(Automated Tweet. maybe a FP)", "id": "1559018788028293120", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559018788028293120", "mentions": ["@107"], "hashtags": [], "date": {"$date": 1660534018000}, "timestamp": 1660559218}}, {"reference": ["https://www.virustotal.com/gui/file/3c1bbc08663893ee158145bd5c150fc92077bf1a8ac3002ef90aebb9026763f0/detection"], "md5": [], "sha1": [], "sha256": ["3c1bbc08663893ee158145bd5c150fc92077bf1a8ac3002ef90aebb9026763f0"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "suyog41", "tweet": "Eternity Stealer\n https://www.virustotal.com/gui/file/3c1bbc08663893ee158145bd5c150fc92077bf1a8ac3002ef90aebb9026763f0/detection", "id": "1559037911416197120", "retweets": 0, "link": "https://twitter.com/suyog41/status/1559037911416197120", "mentions": [], "hashtags": [], "date": {"$date": 1660538578000}, "timestamp": 1660563778}}, {"reference": ["https://www.virustotal.com/gui/file/f4de6403a7baa279dff0ecd9f7ae8c3b14a7979a6d113de29de9bd6d35868cb2/detection"], "md5": [], "sha1": [], "sha256": ["f4de6403a7baa279dff0ecd9f7ae8c3b14a7979a6d113de29de9bd6d35868cb2"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "suyog41", "tweet": "#TeamTnT\n https://www.virustotal.com/gui/file/f4de6403a7baa279dff0ecd9f7ae8c3b14a7979a6d113de29de9bd6d35868cb2/detection", "id": "1559070950020112384", "retweets": 0, "link": "https://twitter.com/suyog41/status/1559070950020112384", "mentions": [], "hashtags": ["#TeamTnT"], "date": {"$date": 1660546455000}, "timestamp": 1660571655}}, {"reference": ["https://www.virustotal.com/gui/file/6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70", "https://www.virustotal.com/gui/file/beacb63904c2624ae02601f283671b3ef61650109aea3259b63a0aeefe4133fa", "https://twitter.com/stopmalvertisin/status/1559071063572873217/photo/1"], "md5": [], "sha1": [], "sha256": ["beacb63904c2624ae02601f283671b3ef61650109aea3259b63a0aeefe4133fa", "6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70"], "mail": [], "ip": ["88.198.148.231", "185.222.57.238"], "domain": [], "url": ["185.222.57.238:27519", "http://88.198.148.231/b.hta", "http://88.198.148.231/p.pdf", "http://88.198.148.231/u.exe"], "tweet": {"user": "StopMalvertisin", "tweet": "Never Split the Difference Negotiating As If Your Life Depended On It.lnk\n https://www.virustotal.com/gui/file/beacb63904c2624ae02601f283671b3ef61650109aea3259b63a0aeefe4133fa\nNext Stage\n http://88.198.148.231/b.hta\nNext\n http://88.198.148.231/p.pdf - decoy\n http://88.198.148.231/u.exe\n#RedlineStealer -> 185.222.57.238:27519\n https://www.virustotal.com/gui/file/6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70 https://twitter.com/StopMalvertisin/status/1559071063572873217/photo/1", "id": "1559071063572873217", "retweets": 7, "link": "https://twitter.com/StopMalvertisin/status/1559071063572873217", "mentions": [], "hashtags": ["#RedlineStealer"], "date": {"$date": 1660546482000}, "timestamp": 1660571682}}, {"reference": ["https://www.virustotal.com/gui/file/c0e714a4edd448d5dde4e8c6d0095525543d4820684185a949f66aed7ff5a85c/detection"], "md5": [], "sha1": [], "sha256": ["c0e714a4edd448d5dde4e8c6d0095525543d4820684185a949f66aed7ff5a85c"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "suyog41", "tweet": "Kinsing miner\n https://www.virustotal.com/gui/file/c0e714a4edd448d5dde4e8c6d0095525543d4820684185a949f66aed7ff5a85c/detection\n\n#Kinsing #Kinsingminer #miner", "id": "1559071581283893249", "retweets": 0, "link": "https://twitter.com/suyog41/status/1559071581283893249", "mentions": [], "hashtags": ["#Kinsing", "#Kinsingminer", "#miner"], "date": {"$date": 1660546605000}, "timestamp": 1660571805}}, {"reference": ["https://www.virustotal.com/gui/file/ed40f97c5235bbe9096beabc58be1296e9b5dcf88a2990deb7355e521d24edc1/detection"], "md5": [], "sha1": [], "sha256": ["ed40f97c5235bbe9096beabc58be1296e9b5dcf88a2990deb7355e521d24edc1"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "suyog41", "tweet": "#Kinsing actor exploiting cve-2021-22204\n https://www.virustotal.com/gui/file/ed40f97c5235bbe9096beabc58be1296e9b5dcf88a2990deb7355e521d24edc1/detection", "id": "1559076678579544064", "retweets": 0, "link": "https://twitter.com/suyog41/status/1559076678579544064", "mentions": [], "hashtags": ["#Kinsing"], "date": {"$date": 1660547821000}, "timestamp": 1660573021}}, {"reference": ["https://labs.inquest.net/dfi/hash/88215d63f660940c71f6b9c6fcb3aaab7e65c9692c8d748a9a00890138494a30"], "md5": [], "sha1": [], "sha256": ["4c174604ff029ec1a36395156359e5875de7caeca631b876869521e018324c3b", "88215d63f660940c71f6b9c6fcb3aaab7e65c9692c8d748a9a00890138494a30"], "mail": [], "ip": ["23.95.34.121"], "domain": ["jmcglone.com"], "url": ["23.95.34.121/hp/www_o/https.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@23.95.34.121/hp/www_o/https.doc\nSHA256: 4c174604ff029ec1a36395156359e5875de7caeca631b876869521e018324c3b\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/88215d63f660940c71f6b9c6fcb3aaab7e65c9692c8d748a9a00890138494a30\n\n(Automated Tweet. maybe a FP)", "id": "1559092505135796225", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559092505135796225", "mentions": ["@23"], "hashtags": [], "date": {"$date": 1660551594000}, "timestamp": 1660576794}}, {"reference": ["https://bazaar.abuse.ch/sample/76551972eeedf1a86d9639e25568980c143f8872cec3c110f6c63fbd636523b1/"], "md5": [], "sha1": [], "sha256": ["76551972eeedf1a86d9639e25568980c143f8872cec3c110f6c63fbd636523b1"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "0xToxin", "tweet": "@JAMESWT_MHT @ankit_anubhav @executemalware @Israel_Torres @Gi7w0rm @1ZRR4H @MalGamy12 sample - https://bazaar.abuse.ch/sample/76551972eeedf1a86d9639e25568980c143f8872cec3c110f6c63fbd636523b1/\n\n(#AgentTesla)", "id": "1559096963680837633", "retweets": 1, "link": "https://twitter.com/0xToxin/status/1559096963680837633", "mentions": ["@JAMESWT_MHT", "@ankit_anubhav", "@executemalware", "@Israel_Torres", "@Gi7w0rm", "@1ZRR4H", "@MalGamy12"], "hashtags": ["#AgentTesla"], "date": {"$date": 1660552657000}, "timestamp": 1660577857}}, {"reference": ["https://urlhaus.abuse.ch/verify-ua/?url="], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["twinybots.ch"], "url": ["http://twinybots.ch"], "tweet": {"user": "MnkeniFrancis", "tweet": "URLhaus #Cybersecurity #security via http://twinybots.ch https://urlhaus.abuse.ch/verify-ua/?url= L2Jyb3dzZS8= ", "id": "1559097863598120960", "retweets": 1, "link": "https://twitter.com/MnkeniFrancis/status/1559097863598120960", "mentions": [], "hashtags": ["#Cybersecurity", "#security"], "date": {"$date": 1660552871000}, "timestamp": 1660578071}}, {"reference": ["https://urlhaus.abuse.ch/verify-ua/?url="], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["twinybots.ch"], "url": ["http://twinybots.ch"], "tweet": {"user": "StanleyEpstein", "tweet": "URLhaus #Cybersecurity #security via http://twinybots.ch https://urlhaus.abuse.ch/verify-ua/?url= L2Jyb3dzZS8= ", "id": "1559102957387481088", "retweets": 2, "link": "https://twitter.com/StanleyEpstein/status/1559102957387481088", "mentions": [], "hashtags": ["#Cybersecurity", "#security"], "date": {"$date": 1660554086000}, "timestamp": 1660579286}}, {"reference": ["https://twitter.com/timele9527/status/1559106961563471872/photo/1", "https://mp-weixin-qq-com.translate.goog/s/egg0norzfvo_rcy_zmtgvq?_x_tr_sl="], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["mp-weixin-qq-com.translate.goog", "mp.weixin.qq.com"], "url": ["https://mp-weixin-qq-com.translate.goog/s/egG0nORZFvo_rCY_zmTgVQ?_x_tr_sl", "https://mp.weixin.qq.com/s/egG0nORZFvo_rCY_zmTgVQ"], "tweet": {"user": "Timele9527", "tweet": "#APT #Patchwork #Patchinfecter #Infectedloader #CVE-2021-40444\nreport:\n https://mp.weixin.qq.com/s/egG0nORZFvo_rCY_zmTgVQ\n https://mp-weixin-qq-com.translate.goog/s/egG0nORZFvo_rCY_zmTgVQ?_x_tr_sl= auto&_x_tr_tl= en&_x_tr_hl= zh-CN&_x_tr_pto= wapp https://twitter.com/Timele9527/status/1559106961563471872/photo/1", "id": "1559106961563471872", "retweets": 15, "link": "https://twitter.com/Timele9527/status/1559106961563471872", "mentions": [], "hashtags": ["#APT", "#Patchwork", "#Patchinfecter", "#Infectedloader", "#CVE"], "date": {"$date": 1660555041000}, "timestamp": 1660580241}}, {"reference": ["https://labs.inquest.net/dfi/hash/ca13cac2a248b888dc22fd609688d0abc665a046d0f37b1d82a994030cc5da36"], "md5": [], "sha1": [], "sha256": ["a83400b7666ddb4b0a9c2412684d22e3ea4110bb77862005a590a9f807ed47fc", "ca13cac2a248b888dc22fd609688d0abc665a046d0f37b1d82a994030cc5da36"], "mail": [], "ip": ["198.12.89.174"], "domain": ["jmcglone.com"], "url": ["198.12.89.174/hp/shp_20.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@198.12.89.174/hp/shp_20.doc\nSHA256: a83400b7666ddb4b0a9c2412684d22e3ea4110bb77862005a590a9f807ed47fc\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/ca13cac2a248b888dc22fd609688d0abc665a046d0f37b1d82a994030cc5da36\n\n(Automated Tweet. maybe a FP)", "id": "1559111805087223809", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559111805087223809", "mentions": ["@198"], "hashtags": [], "date": {"$date": 1660556195000}, "timestamp": 1660581395}}, {"reference": ["https://labs.inquest.net/dfi/hash/eef6bfdc05d17537c7171396e8dc3a40af029d27e501456b0fd363f98e97c19a"], "md5": [], "sha1": [], "sha256": ["b6d92095255846e3142c966fc9a8d57fc5ab21a328c806e1b965a4513f340e2e", "eef6bfdc05d17537c7171396e8dc3a40af029d27e501456b0fd363f98e97c19a"], "mail": [], "ip": ["198.23.207.54"], "domain": ["jmcglone.com"], "url": ["198.23.207.54/https/shipping.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@198.23.207.54/https/shipping.doc\nSHA256: b6d92095255846e3142c966fc9a8d57fc5ab21a328c806e1b965a4513f340e2e\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/eef6bfdc05d17537c7171396e8dc3a40af029d27e501456b0fd363f98e97c19a\n\n(Automated Tweet. maybe a FP)", "id": "1559115696394600448", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559115696394600448", "mentions": ["@198"], "hashtags": [], "date": {"$date": 1660557123000}, "timestamp": 1660582323}}, {"reference": ["https://twitter.com/phishunt_io/status/1559118666536521730/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["20.243.169.103"], "domain": ["instagram-picture12wbf.b0tnet.com"], "url": [], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /instagram-picture12wbf.b0tnet.com/\n\ud83d\udea9 20.243.169.103\n\u2601 MICROSOFT-CORP-MSN-AS-BLOCK\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1559118666536521730/photo/1", "id": "1559118666536521730", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1559118666536521730", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1660557831000}, "timestamp": 1660583031}}, {"reference": ["https://labs.inquest.net/dfi/hash/5d320fa65fc0e5416354cb4c4d72927d5100816a1ebc5904c09713a20f58b182"], "md5": [], "sha1": [], "sha256": ["b90d00f2b65b13ec8cbe1ea6155c998a1c4ba39c9ad3d7a2d433553410cb086b", "5d320fa65fc0e5416354cb4c4d72927d5100816a1ebc5904c09713a20f58b182"], "mail": [], "ip": ["198.12.89.174"], "domain": ["jmcglone.com"], "url": ["198.12.89.174/hp/shp_10.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@198.12.89.174/hp/shp_10.doc\nSHA256: b90d00f2b65b13ec8cbe1ea6155c998a1c4ba39c9ad3d7a2d433553410cb086b\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/5d320fa65fc0e5416354cb4c4d72927d5100816a1ebc5904c09713a20f58b182\n\n(Automated Tweet. maybe a FP)", "id": "1559119747932897280", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559119747932897280", "mentions": ["@198"], "hashtags": [], "date": {"$date": 1660558089000}, "timestamp": 1660583289}}, {"reference": ["https://www.virustotal.com/gui/domain/rasiones.ddns.net"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["rasiones.ddns.net"], "url": [], "tweet": {"user": "Certego_Intel", "tweet": "#Malware #AveMaria #Blocklist\nDomain: rasiones.ddns.net\nVirusTotal: https://www.virustotal.com/gui/domain/rasiones.ddns.net\n#CyberSecurity #ThreatIntel (bot generated)", "id": "1559124344965586946", "retweets": 6, "link": "https://twitter.com/Certego_Intel/status/1559124344965586946", "mentions": [], "hashtags": ["#Malware", "#AveMaria", "#Blocklist", "#CyberSecurity", "#ThreatIntel"], "date": {"$date": 1660559185000}, "timestamp": 1660584385}}, {"reference": ["https://twitter.com/dubstard/status/1559128040847949824/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["1inch.io"], "url": ["http://1inch.io"], "tweet": {"user": "dubstard", "tweet": "Hi @Namecheap and @namesilo \n\nPlease suspend those scams:\n\n\u26a0rewards-1inch\u00ad.com (namecheap)\n\u26a0rewards-1inch\u00ad.io (namesilo)\n\nThe legitimate domain being impersonated is http://1inch.io\nand belongs to @1inch \n\ncc @kristaps_ronka for namesilo\nThanks in advance!\n\n#scam https://twitter.com/dubstard/status/1559128040847949824/photo/1", "id": "1559128040847949824", "retweets": 2, "link": "https://twitter.com/dubstard/status/1559128040847949824", "mentions": ["@Namecheap", "@namesilo", "@1inch", "@kristaps_ronka"], "hashtags": ["#scam"], "date": {"$date": 1660560066000}, "timestamp": 1660585266}}, {"reference": ["https://www.virustotal.com/gui/file/d7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f/detection/f-d7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f-1659070739"], "md5": [], "sha1": [], "sha256": ["d7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "Zap42", "tweet": " https://www.virustotal.com/gui/file/d7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f/detection/f-d7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f-1659070739\n#sha256sum /boot/vmlinuz-5.10.0-16-amd64\nd7e96518ea789972e8c06f6388bcb14c2969ab3e4b29e55d99d0ed970d15df3f /boot/vmlinuz-5.10.0-16-amd64\n#dpkg -S /boot/vmlinuz-5.10.0-16-amd64\nlinux-image-5.10.0-16-amd64: /boot/vmlinuz-5.10.0-16-amd64\n\ud83e\udd37", "id": "1559130145834864640", "retweets": 0, "link": "https://twitter.com/Zap42/status/1559130145834864640", "mentions": [], "hashtags": ["#sha256sum", "#dpkg"], "date": {"$date": 1660560568000}, "timestamp": 1660585768}}, {"reference": ["https://urlscan.io/result/07386fed-a9a5-44f0-8dcc-e4bdb119c165/", "https://twitter.com/ozuma5119/status/1559131864094617600/photo/1", "https://otx.alienvault.com/pulse/62fa24ed2c9748d23b9bc90b"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["198.23.221.139"], "domain": ["visa.jcb"], "url": [], "tweet": {"user": "ozuma5119", "tweet": "\ud83d\udd25\u26a0\ufe0fMassive 1400 #Phishing Sites on 1 IP! \ud83d\udd25\nIP: 198.23.221.139 (AS36352 ColoCrossing)\nIoC: https://otx.alienvault.com/pulse/62fa24ed2c9748d23b9bc90b\nBrand: MUFG Nicos \u4e09\u83f1UFJ\u30cb\u30b3\u30b9 (VISA.JCB.Master.Amex). JP\ud83c\uddef\ud83c\uddf5\nScan: https://urlscan.io/result/07386fed-a9a5-44f0-8dcc-e4bdb119c165/\n\n\ud83d\udcdd need SrcIP= JP\ud83c\uddef\ud83c\uddf5 to access the Phishing Site.\n\n\u2193 https://twitter.com/ozuma5119/status/1559131864094617600/photo/1", "id": "1559131864094617600", "retweets": 1, "link": "https://twitter.com/ozuma5119/status/1559131864094617600", "mentions": [], "hashtags": ["#Phishing"], "date": {"$date": 1660560978000}, "timestamp": 1660586178}}, {"reference": ["https://twitter.com/dubstard/status/1559133448345997314/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pudgypenguins.com"], "url": ["http://pudgypenguins.com"], "tweet": {"user": "dubstard", "tweet": "Hi @namesilo\n \nPlease suspend this scam:\n\n\u26a0pudgypenguins-claim\u00ad.com\n\nThe legitimate domain being impersonated is http://pudgypenguins.com and belongs to @pudgypenguins\n\ncc @kristaps_ronka for NameSilo enforcement. thanks in advance!\n\ncc @ASvanevik fake pengus spotted! https://twitter.com/dubstard/status/1559133448345997314/photo/1", "id": "1559133448345997314", "retweets": 1, "link": "https://twitter.com/dubstard/status/1559133448345997314", "mentions": ["@namesilo", "@pudgypenguins", "@kristaps_ronka", "@ASvanevik"], "hashtags": [], "date": {"$date": 1660561356000}, "timestamp": 1660586556}}, {"reference": ["https://twitter.com/timele9527/status/1559106961563471872"], "md5": [], "sha1": [], "sha256": ["3b20946a0ed8d4320285b2f114047fed54761ec4005fc6ccc10fcf123cf15a97"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "Timele9527", "tweet": "some sample:\n3b20946a0ed8d4320285b2f114047fed54761ec4005fc6ccc10fcf123cf15a97 https://twitter.com/Timele9527/status/1559106961563471872", "id": "1559138363688378368", "retweets": 1, "link": "https://twitter.com/Timele9527/status/1559138363688378368", "mentions": [], "hashtags": [], "date": {"$date": 1660562527000}, "timestamp": 1660587727}}, {"reference": ["https://labs.inquest.net/dfi/hash/1a4e64092ebc77ded3525862567633672135252d7e98911ad045a37d76f97ca2"], "md5": [], "sha1": [], "sha256": ["751f1f8d2c81b66922c6f0f319aeff1b2ba593781ae89d4813b721f98e29671d", "1a4e64092ebc77ded3525862567633672135252d7e98911ad045a37d76f97ca2"], "mail": [], "ip": ["23.95.34.121"], "domain": ["jmcglone.com"], "url": ["23.95.34.121/hp/www_s/https.doc", "http://jmcglone.com"], "tweet": {"user": "InQuest", "tweet": "\ud83e\udd16 Potentially malicious RTF document found hosted at:\n\nhxxp://jmcglone.com@23.95.34.121/hp/www_s/https.doc\nSHA256: 751f1f8d2c81b66922c6f0f319aeff1b2ba593781ae89d4813b721f98e29671d\n\nIOC extracted from sample: https://labs.inquest.net/dfi/hash/1a4e64092ebc77ded3525862567633672135252d7e98911ad045a37d76f97ca2\n\n(Automated Tweet. maybe a FP)", "id": "1559144311815606273", "retweets": 1, "link": "https://twitter.com/InQuest/status/1559144311815606273", "mentions": ["@23"], "hashtags": [], "date": {"$date": 1660563946000}, "timestamp": 1660589146}}, {"reference": ["https://bazaar.abuse.ch/sample/4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7/"], "md5": [], "sha1": [], "sha256": ["4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7", "b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad"], "mail": [], "ip": [], "domain": ["tria.ge"], "url": ["https://tria.ge/220815-p83f2sdge8/behavioral2"], "tweet": {"user": "x3ph1", "tweet": "Analysis of Malicious PS Script\n https://tria.ge/220815-p83f2sdge8/behavioral2\n\nMalicious PS Script Sample\n https://bazaar.abuse.ch/sample/4a59ac7ae76abb86ab2e035adbe5253247a2aad9b1ce9f59b3145333e34c26f7/\n\nNetSupport Remote Control used:\nFile:whost.exe\nHash:b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad", "id": "1559171933991833601", "retweets": 0, "link": "https://twitter.com/x3ph1/status/1559171933991833601", "mentions": [], "hashtags": [], "date": {"$date": 1660570531000}, "timestamp": 1660595731}}, {"reference": ["https://twitter.com/phishunt_io/status/1559180349569114112/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["193.124.22.48"], "domain": ["ushsbc.online"], "url": [], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /ushsbc.online/\n\ud83d\udea9 193.124.22.48\n\u2601 AEZA GROUP Ltd\n\ud83d\udd12 R3 https://twitter.com/phishunt_io/status/1559180349569114112/photo/1", "id": "1559180349569114112", "retweets": 0, "link": "https://twitter.com/phishunt_io/status/1559180349569114112", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1660572538000}, "timestamp": 1660597738}}, {"reference": ["https://metadefender.opswat.com/?lang=", "https://pandasecurity.com/en/homeusers/solutions/cloud-cleaner/", "https://virustotal.com/gui/home/search", "https://eset.com/uk/home/online-scanner/"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["pandasecurity.com", "virscan.org", "eset.com", "metadefender.opswat.com", "lite.al"], "url": ["https://virscan.org", "https://lite.al/Tc-1T", "https://metadefender.opswat.com/?lang", "https://pandasecurity.com/en/homeusers/solutions/cloud-cleaner", "https://eset.com/uk/home/online-scanner"], "tweet": {"user": "Lif843", "tweet": "\u0623\u0641\u0636\u0644 6 \u0645\u0648\u0627\u0642\u0639 \u0623\u0648\u0646 \u0644\u0627\u064a\u0646 \u0639\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a \n\u0644\u0641\u062d\u0635 \u062c\u0647\u0627\u0632\u0643 \u0648\u0645\u0644\u0641\u0627\u062a\u0643 \n\u0648\u0625\u0632\u0627\u0644\u0629 \u0627\u0644\u0641\u064a\u0631\u0648\u0633\u0627\u062a \u0628\u062f\u0648\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0628\u0631\u0627\u0645\u062c\n\n1- https://metadefender.opswat.com/?lang= en\n\n2 - https://virustotal.com/gui/home/search\n\n3- https://pandasecurity.com/en/homeusers/solutions/cloud-cleaner/\n\n4- https://eset.com/uk/home/online-scanner/\n\n5- https://lite.al/Tc-1T\n\n6- https://virscan.org", "id": "1559185602834202626", "retweets": 0, "link": "https://twitter.com/Lif843/status/1559185602834202626", "mentions": [], "hashtags": [], "date": {"$date": 1660573790000}, "timestamp": 1660598990}}, {"reference": ["https://bazaar.abuse.ch/sample/502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c/", "https://twitter.com/0xtoxin/status/1559195426242314247/photo/1"], "md5": ["249e1ece2f90b39d9c5563282076f21f"], "sha1": [], "sha256": ["502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c"], "mail": [], "ip": ["45.76.223.107"], "domain": [], "url": ["45.76.223.107:25950"], "tweet": {"user": "0xToxin", "tweet": "@ankit_anubhav @JAMESWT_MHT @malwrhunterteam @1ZRR4H @vinopaljiri @pr0xylife @executemalware C2: 45.76.223.107:25950\nBotnet: X\nAuth value: 249e1ece2f90b39d9c5563282076f21f\n\nInitial executable: https://bazaar.abuse.ch/sample/502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c/\n\nRedline binary: https://bazaar.abuse.ch/sample/502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c/\n\nthanks to @unpacme me for unpacking the binary in no time :) https://twitter.com/0xToxin/status/1559195426242314247/photo/1", "id": "1559195426242314247", "retweets": 1, "link": "https://twitter.com/0xToxin/status/1559195426242314247", "mentions": ["@ankit_anubhav", "@JAMESWT_MHT", "@malwrhunterteam", "@1ZRR4H", "@vinopaljiri", "@pr0xylife", "@executemalware", "@unpacme"], "hashtags": [], "date": {"$date": 1660576132000}, "timestamp": 1660601332}}, {"reference": ["https://bazaar.abuse.ch/sample/960843f7b4cf4a5905d9a2cbda9e02eba2e4e2543b3503d0d3254825e7c72dc0/"], "md5": [], "sha1": [], "sha256": ["960843f7b4cf4a5905d9a2cbda9e02eba2e4e2543b3503d0d3254825e7c72dc0"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "0xToxin", "tweet": "@ankit_anubhav @JAMESWT_MHT @malwrhunterteam @1ZRR4H @vinopaljiri @pr0xylife @executemalware @unpacme my bad. redline binary:\n https://bazaar.abuse.ch/sample/960843f7b4cf4a5905d9a2cbda9e02eba2e4e2543b3503d0d3254825e7c72dc0/", "id": "1559196659665575938", "retweets": 0, "link": "https://twitter.com/0xToxin/status/1559196659665575938", "mentions": ["@ankit_anubhav", "@JAMESWT_MHT", "@malwrhunterteam", "@1ZRR4H", "@vinopaljiri", "@pr0xylife", "@executemalware", "@unpacme"], "hashtags": [], "date": {"$date": 1660576426000}, "timestamp": 1660601626}}, {"reference": ["https://wise.com/", "https://twitter.com/xiatianguo/status/1559201214096560128/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["wise.com"], "url": ["https://wise.com"], "tweet": {"user": "xiatianguo", "tweet": "Recently. Chinese Phishing actors and scammers seem to be trying to attack Wise (ex-TransferWise).\nBe careful!\n https://wise.com/\n#telegram #phishing #carding #cvv https://twitter.com/xiatianguo/status/1559201214096560128/photo/1", "id": "1559201214096560128", "retweets": 2, "link": "https://twitter.com/xiatianguo/status/1559201214096560128", "mentions": [], "hashtags": ["#telegram", "#phishing", "#carding", "#cvv"], "date": {"$date": 1660577512000}, "timestamp": 1660602712}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["111.161.122.17"], "domain": [], "url": [], "tweet": {"user": "h2jazi", "tweet": "@rising_chenzy @malwrhunterteam @ShadowChasing1 Yeah it could be #APT32. APT32 has used Mcafee binary to side load McVsoCfg.dll in the past which is the same in this case too. \nThe dll loads #CobaltStrike in the memory. (APT32 also used CS in its past campagins) \nC2: 111.161.122.17", "id": "1559208012698554368", "retweets": 1, "link": "https://twitter.com/h2jazi/status/1559208012698554368", "mentions": ["@rising_chenzy", "@malwrhunterteam", "@ShadowChasing1"], "hashtags": ["#APT32", "#CobaltStrike"], "date": {"$date": 1660579133000}, "timestamp": 1660604333}}, {"reference": ["https://twitter.com/cx_scs/status/1559229744310370309/photo/1", "https://www.virustotal.com/gui/file/a5a0891067218690a6986cd19c646758ee51eef48b4e904b8f46394d61a629b6/detection"], "md5": [], "sha1": [], "sha256": ["a5a0891067218690a6986cd19c646758ee51eef48b4e904b8f46394d61a629b6"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "Cx_SCS", "tweet": "Those newly released packages. imitating popular ones. are shipped with malicious .exe files encoded as base64 strings.\nPyPI has been notified. and our researchers are in the midst of the investigation. Stay tuned for their findings.\n\n https://www.virustotal.com/gui/file/a5a0891067218690a6986cd19c646758ee51eef48b4e904b8f46394d61a629b6/detection https://twitter.com/Cx_SCS/status/1559229744310370309/photo/1", "id": "1559229744310370309", "retweets": 0, "link": "https://twitter.com/Cx_SCS/status/1559229744310370309", "mentions": [], "hashtags": [], "date": {"$date": 1660584314000}, "timestamp": 1660609514}}, {"reference": ["https://bazaar.abuse.ch/sample/369d2fd7604592ad2045949574012961651ec5cf8113b5d170e7956963c44ab1/", "https://github.com/pr0xylife/icedid/blob/main/icedid_15.08.2022.txt", "https://twitter.com/pr0xylife/status/1559234481965436929/photo/1"], "md5": [], "sha1": [], "sha256": ["369d2fd7604592ad2045949574012961651ec5cf8113b5d170e7956963c44ab1"], "mail": [], "ip": [], "domain": ["yotrakeoksa.com", "uytricmpreprom.com", "plorinnoult.com", "getmeaninwurz.com", "cleanmagoza.com"], "url": [], "tweet": {"user": "pr0xylife", "tweet": "#IcedID - .zip > .iso > .lnk > .bat > wscript > .dll\n\nrundll32.exe C:\\Users\\***\\AppData\\Local\\Temp\\then\\intoYouMeHereGive.dll.#1\n\n https://bazaar.abuse.ch/sample/369d2fd7604592ad2045949574012961651ec5cf8113b5d170e7956963c44ab1/\n\nc2's\ngetmeaninwurz.com\nuytricmpreprom.com\nplorinnoult.com\nyotrakeoksa.com\ncleanmagoza.com\n\nIOC's\n https://github.com/pr0xylife/IcedID/blob/main/icedID_15.08.2022.txt https://twitter.com/pr0xylife/status/1559234481965436929/photo/1", "id": "1559234481965436929", "retweets": 25, "link": "https://twitter.com/pr0xylife/status/1559234481965436929", "mentions": [], "hashtags": ["#IcedID", "#1"], "date": {"$date": 1660585444000}, "timestamp": 1660610644}}, {"reference": ["https://bazaar.abuse.ch/sample/91f989ba53006d7710488227a800a5ee28e731cbaaa4ba71c5ab4f30c743cfe3/"], "md5": [], "sha1": [], "sha256": ["91f989ba53006d7710488227a800a5ee28e731cbaaa4ba71c5ab4f30c743cfe3"], "mail": [], "ip": ["192.227.134.72"], "domain": ["liveumusk.gq"], "url": [], "tweet": {"user": "onecert_ir", "tweet": "\ud83d\udea8#Malware Alert\nFile type: #Apk #android\nThreat name: #smsspy #spyware #Phishing\n\nPayload:\n https://bazaar.abuse.ch/sample/91f989ba53006d7710488227a800a5ee28e731cbaaa4ba71c5ab4f30c743cfe3/\n\n- C&C:\nliveumusk.gq\n\nIP : 192.227.134.72\nISP: @ColoCrossing\nRegistrar: freenom", "id": "1559253214373056513", "retweets": 0, "link": "https://twitter.com/onecert_ir/status/1559253214373056513", "mentions": ["@ColoCrossing"], "hashtags": ["#Malware", "#Apk", "#android", "#smsspy", "#spyware", "#Phishing"], "date": {"$date": 1660589910000}, "timestamp": 1660615110}}, {"reference": ["https://bazaar.abuse.ch/browse/tag/asjvyy4jvos-com/", "https://twitter.com/0xtoxin/status/1559255213260800002/photo/1", "https://github.com/0xtoxin/malware-iocs/blob/main/riskware/riskware%20-%2015082022"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["ssaiufny4yvsfdt43igov3.cn"], "url": [], "tweet": {"user": "0xToxin", "tweet": "#riskware \nG-Drive -> password protected zip -> lnk -> ps1 -> #netsupport\nVT confidence on LNK - 0/60\nC2 - ssaiufny4yvsfdt43igov3.cn:443 (alt - ssaiufny4yvsfdt43igov3.cn:443)\nFull IOC can be found here: https://github.com/0xToxin/Malware-IOCs/blob/main/Riskware/Riskware%20-%2015082022\nBazzar link: https://bazaar.abuse.ch/browse/tag/asjvyy4jvos-com/ https://twitter.com/0xToxin/status/1559255213260800002/photo/1", "id": "1559255213260800002", "retweets": 10, "link": "https://twitter.com/0xToxin/status/1559255213260800002", "mentions": [], "hashtags": ["#riskware", "#netsupport"], "date": {"$date": 1660590387000}, "timestamp": 1660615587}}, {"reference": [], "md5": ["1ce3d938f66cf051caf4c321a560db7c", "6cdd8f7311975edcfd51e3a08e28390a", "b6dc9ba009d68322a855705bdec21a52"], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["share.1drvmicrosoft.com"], "url": [], "tweet": {"user": "h2jazi", "tweet": "#DangerousPassword (CryptoCore/CryptoMymic) #APT:\n\nshare.1drvmicrosoft.com (Registered 6 days ago)\n\n1ce3d938f66cf051caf4c321a560db7c\nNew Profit Distributions. zip\n\n6cdd8f7311975edcfd51e3a08e28390a\nPassword.txt.lnk\n\nRelated:\nb6dc9ba009d68322a855705bdec21a52\nSppedUp.lnk", "id": "1559259261665943553", "retweets": 10, "link": "https://twitter.com/h2jazi/status/1559259261665943553", "mentions": [], "hashtags": ["#DangerousPassword", "#APT"], "date": {"$date": 1660591352000}, "timestamp": 1660616552}}, {"reference": ["https://www.virustotal.com/gui/file/99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f"], "md5": [], "sha1": [], "sha256": ["99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f"], "mail": [], "ip": [], "domain": [], "url": [], "tweet": {"user": "ArchinalLee", "tweet": "In the Talos Security report. they listed hashes of the backdoors that they found. One of these hashes can be found on @VirusTotal for more information.\n\n https://www.virustotal.com/gui/file/99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f\n\n#CyberSecurity #HappyHunting #ThreatHunting #MalwareMonday", "id": "1559262509919518721", "retweets": 0, "link": "https://twitter.com/ArchinalLee/status/1559262509919518721", "mentions": ["@VirusTotal"], "hashtags": ["#CyberSecurity", "#HappyHunting", "#ThreatHunting", "#MalwareMonday"], "date": {"$date": 1660592126000}, "timestamp": 1660617326}}, {"reference": ["https://twitter.com/phishunt_io/status/1559298902951600129/photo/1"], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": ["188.114.97.3"], "domain": ["steamcommunityprice.com"], "url": [], "tweet": {"user": "phishunt_io", "tweet": "#NewPhishing | #phishing #scam\n\n\ud83d\udd17 /steamcommunityprice.com/\n\ud83d\udea9 188.114.97.3\n\u2601 CLOUDFLARENET\n\ud83d\udd12 E1 https://twitter.com/phishunt_io/status/1559298902951600129/photo/1", "id": "1559298902951600129", "retweets": 1, "link": "https://twitter.com/phishunt_io/status/1559298902951600129", "mentions": [], "hashtags": ["#NewPhishing", "#phishing", "#scam"], "date": {"$date": 1660600803000}, "timestamp": 1660626003}}, {"reference": [], "md5": [], "sha1": [], "sha256": [], "mail": [], "ip": [], "domain": ["msftconnecttest.com"], "url": ["http://msftconnecttest.com"], "tweet": {"user": "malware_traffic", "tweet": "@NerdShinobi Microsoft still controls the domain. so no one should be able to make http://msftconnecttest.com point to a bad server. If malware updates a victim's \"hosts\" file on a Windows computer. it could sneak something through that way. but that can be done for any domain.", "id": "1559308103572750336", "retweets": 0, "link": "https://twitter.com/malware_traffic/status/1559308103572750336", "mentions": ["@NerdShinobi"], "hashtags": [], "date": {"$date": 1660602997000}, "timestamp": 1660628197}}]