{ "type": "Domain", "indicator": "applyforms.me", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/applyforms.me", "alexa": "http://www.alexa.com/siteinfo/applyforms.me", "indicator": "applyforms.me", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3907713988, "indicator": "applyforms.me", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 249, "modified_text": "683 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "wallpapers-nature.com", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "https://otx.alienvault.com/indicator/domain/bunny.net", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "CS Sigma: Matches rule Python Initiated Connection by frack113", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "AV Detection: ELF:Mirai-GH\\ [Trj]", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "www.crackedmindstechnologies.com", "Was anyone else notified? I'm not sure why I was.", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ddos:linux/mirai", "A variant of win32/flystudio.packed.ad potentially unwanted", "Win.dropper.dridex-9986041-0", "Variant.zusy.151902", "Worm:win32/bloored.e", "Worm:win32/mydoom.o!backdoor", "Alf:e5.spikeaex.rhh_mcv", "Alf:heraklezeval:trojan:win32/clipbanker", "Elf:mirai-gh\\ [trj]", "Win32:kukacka", "Atros3.ldj", "Win-trojan/malpacked5.gen", "Win32:pwsx-gen\\ [trj]", "W32/pidgeon-a", "Worm:win32/sfone", "Win.malware.trojanx-9862538-0", "Trojanspy:win32/invader.s!msr", "Trojanspy:win32/gucotut.a", "Trojanspy:win32/nivdort.aj", "Alf:heraklezeval:trojan:win32/zombie", "Trojan.mirai/fedr", "Win32:trojan-gen", "Et", "Unix.trojan.mirai-9441505-0", "Gandcrab", "Win.packer.pkr_ce1a-9980177-0", "Win.dropper.bulz-9910065-0", "Win.malware.bbabdcdc-7358312-0", "Worm:win32/sfone.a", "Generic", "Trojan.mirai/fszhh", "Win32:malware-gen", "Virus:win32/sality.at", "Win.dropper.autoit-6688751-0", "Android/ave.mirai.fszhh", "Flyagent l", "Virus.ramnit/nimnul" ], "industries": [ "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 249, "modified_text": "683 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "applyforms.me", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "applyforms.me", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780423278.8852277 }