{ "type": "Domain", "indicator": "a2mg.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/a2mg.com", "alexa": "http://www.alexa.com/siteinfo/a2mg.com", "indicator": "a2mg.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3966739653, "indicator": "a2mg.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "TrojanSpy:Win32/Nivdort.DE", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun", "www.crackedmindstechnologies.com", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "#lowfitrojan:js/auto25", "Ransom:win32/haperlock", "Win.packed.kelios-10023944-0", "Alf:heraklezeval:trojandownloader:win32/unruy", "N\u2205 ip", "Trojanspy:win32/nivdort.aj", "Trojan:win32/startpage", "Worm:win32/bloored.e", "Win32:kukacka", "Ebury", "Ransom:win32/wannaren", "Win.trojan.unruy-5885", "Trojanspy:win32/nivdort.de", "Alf:heraklezeval:trojandownloader:win32/unruy!rfn", "Formbook", "Locky", "Alf:trojan:win32/cassini_ade36583", "Virus:win32/sality.at", "Trojanspy:win32/invader.s!msr", "Win.packed.xtremerat-9837419-0", "Worm:win32/mydoom.o!backdoor", "Gandcrab", "Et", "Swipper" ], "industries": [ "Telecommunications", "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66e6547f22d43d6d149cac7a", "name": "RedCap Abuse | The 1st Pulse was deleted from OTX . AlienVault", "description": "Another example of target working with a hacker impersonating some7he.sje was not. The hackers had the perfect opportunity to stay attached to Dropbox, photos. microphone and highlighted heavily targets location. || Target was suspicious about several issues related to pair. Hacker has only one piece of equipment for project. Target basically had to give him all , tips, cues and direction for project. If this Pulse is deleted I don't know what to think.", "modified": "2024-10-15T02:02:53.504000", "created": "2024-09-15T03:29:03.699000", "tags": [ "urls", "passive dns", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "process32nextw", "intel", "ms windows", "united", "pe32", "search", "module load", "t1129", "read c", "default", "path", "write", "malware", "copy", "win32", "suspicious", "unknown", "united kingdom", "set cookie", "as43350 nforce", "script urls", "as55286", "status", "cookie", "trojan", "template", "showing", "entries", "body", "ransom", "meta", "a div", "div div", "ipv4", "script script", "as16276", "france unknown", "link", "span a", "span span", "span", "class", "pragma", "servers", "creation date", "emails", "domain", "expiration date", "cname", "aaaa", "certificate", "lowfitrojan", "hstr", "jsauto25 jun", "pm lowfitrojan", "related pulses", "file samples", "files matching", "show", "endpoints all", "trojan features", "date hash", "as15169 google", "as44273 host", "september", "de indicators", "domains", "hashes", "dynamicloader", "yara detections", "enigmaprotector", "high", "bios", "dynamic", "filehash", "yaxpax", "yapaxi", "zp6axi0", "cuckoo", "name servers", "domains ii", "for privacy", "redacted for", "next", "domain address", "alienvault name", "server", "flag", "contacted hosts", "process details", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "exit node", "traffic group", "suricata", "overview ip", "address", "files location", "flag united", "hostname", "files domain", "months ago", "created", "email", "modified", "filehashsha1", "filehashsha256", "white cve", "cyber", "xamzexpires300", "twitter", "xor ddos", "xorddos", "hacktool", "bazaarloader", "redcap", "formbook", "locky", "lockbit", "ransomware", "target", "ebury", "virustotal", "crypter", "shadowpad", "corrupt", "cryptor", "android", "xrat", "xtrat", "malicious", "honeypot", "fraud", "already", "behav", "ragnar locker", "swipper", "n\u2205 ip", "write c", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "execution", "dock", "persistence", "august", "asnone bulgaria", "sales", "algorithm", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "first", "whois lookups", "dnssec", "domain name", "abuse contact", "registrar abuse", "contact phone", "registrar iana", "date", "dns replication", "record type", "ttl value", "msms33388520", "data", "cus starizona", "cngo daddy", "authority", "g2 validity" ], "references": [ "TrojanSpy:Win32/Nivdort.DE", "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn: FileHash-SHA256 00018d13f451300fb839123dfbf2d8607da0e7b1c89ae1bfbb9946ac79c1663c", "IDS Detections: Win32/Unruy Rogue Search Host Observed 1", "Yara Detections: Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts: nids_malware_alert network_icmp persistence_autorun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "ALF:Trojan:Win32/Cassini_ade36583", "display_name": "ALF:Trojan:Win32/Cassini_ade36583", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy!rfn", "target": null }, { "id": "Ransom:Win32/Wannaren", "display_name": "Ransom:Win32/Wannaren", "target": "/malware/Ransom:Win32/Wannaren" }, { "id": "#LowfiTrojan:JS/Auto25", "display_name": "#LowfiTrojan:JS/Auto25", "target": "/malware/#LowfiTrojan:JS/Auto25" }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Unruy", "target": null }, { "id": "Win.Packed.XtremeRAT-9837419-0", "display_name": "Win.Packed.XtremeRAT-9837419-0", "target": null }, { "id": "Win.Packed.Kelios-10023944-0", "display_name": "Win.Packed.Kelios-10023944-0", "target": null }, { "id": "Win.Trojan.Unruy-5885", "display_name": "Win.Trojan.Unruy-5885", "target": null }, { "id": "Ebury", "display_name": "Ebury", "target": null }, { "id": "FormBook", "display_name": "FormBook", "target": null }, { "id": "Swipper", "display_name": "Swipper", "target": null }, { "id": "N\u2205 IP", "display_name": "N\u2205 IP", "target": null }, { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4315, "FileHash-MD5": 573, "FileHash-SHA1": 550, "FileHash-SHA256": 4114, "domain": 4757, "hostname": 2075, "SSLCertFingerprint": 5, "email": 14, "CIDR": 1 }, "indicator_count": 16404, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a2mg.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "a2mg.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780423866.5834067 }