{ "type": "Domain", "indicator": "clk75.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/clk75.com", "alexa": "http://www.alexa.com/siteinfo/clk75.com", "indicator": "clk75.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4075727776, "indicator": "clk75.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a49e0c2d33c785eb6247a", "name": "Python Initiated connection | Spyware", "description": "Trojan[Spy]:Win/QQWare.AM - https://r.clk71.com/s.ashx?ms=AZ71:207998_143310&e=diemerd@usengineering.com&eId=1338769034&c=h&url=http://e.snd65.com/cl/22/SCM/Exposing_Malware_in%20Linux-Based_Multi-Cloud_Environments_R1Final.pdf\nSigma:\n\u2022 Python Initiated Connection by frack113 (critical)\n\u2022 Failed Code Integrity Checks by Thomas Patzke\n\u2022 Creation of an Executable by an Executable by frack113 |\n Yara: \n MAL_CN_FlyStudio_May18_1 from ruleset crime_floxif_flystudio by Florian Roth (Nextron Systems) S_MultiFunction_Scanners_s from ruleset gen_cn_hacktools by Florian Roth (Nextron Systems) UPX from ruleset UPX by kevoreilly |\nWindows_Generic_Threat_bc6ae28d from ruleset Windows_Generic_Threat by Elastic Security", "modified": "2025-07-12T03:01:48.497000", "created": "2025-06-12T03:30:40.943000", "tags": [ "ta0004 defense", "evasion ta0005", "get http", "resolved ips", "post http", "dns resolutions", "number", "cus cndigicert", "tls rsa", "sha256", "ca1 odigicert", "inc subject", "cus lsan", "stcalifornia", "files", "pdf document", "verdict", "status url", "ta0002 defense", "ta0009 command", "control ta0011", "file type", "copyright", "shell" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 112, "FileHash-SHA1": 91, "FileHash-SHA256": 467, "URL": 15, "domain": 79, "email": 1, "hostname": 247 }, "indicator_count": 1012, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "tulach.cc", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Christopher P. \u2018Buzz\u2019 Ahmann", "Amnesty.org | remote.amnesty.org", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "ipv4bot.whatismyipaddress.com", "Delphi This program must be run under Win32 Compilers", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "helloprismatic.com", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cve-2023-2868", "Exploit:win32/cve-2017-0147", "Worm:win32/benjamin", "Ransom:win32/gandcrab" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6944ce38344ccded23df66f5", "name": "Ransom - Amnesty.org - a single link in a Pegasus attack against a civilian.", "description": "I don\u2019t have the right words to put this together because it involves so much coercion, fraud, betrayal, manipulation , hacking, multiple business fronts, loud mouth mafia plants, working with someone under false pretenses, redhat security teams in Denver , Colorado, false implications of cyber attacks coming from foreign entities. \n\nTips come from a highly reliable sources. One link in a Pegasus attack .", "modified": "2026-01-18T03:05:59.836000", "created": "2025-12-19T04:02:00.973000", "tags": [ "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "free", "benjamin", "write", "worm", "win32", "code", "june", "delphi", "malware", "benjamin", "tulach", "state of colorado", "christopher p. \u2018buzz\u2019 ahmann", "danica implants", "nids_malware_alert", "bonu$", "network_icmp", "network_irc", "persistence_autorun", "network_http", "nids_alert", "allocates_rwx", "hackers", "creates_exe", "brian sabey", "sour del", "packer_entropy", "antivm_memory_available", "pe_features", "get key", "crime", "organized crime", "federal crime", "cyber crime", "piracy", "status", "china unknown", "name servers", "div div", "ip address", "domain", "creation date", "record value", "meta", "title", "hong kong", "passive dns", "gmt content", "type", "content length", "ipv4 add", "urls", "files", "location hong", "twitter", "youtube", "side 3 studios", "denver music", "infiltration", "whistleblower", "getkey", "cyber warfare", "fraud", "financial crimes", "pegasus", "music front", "france unknown", "present feb", "iran unknown", "present nov", "present jun", "present jan", "hidden", "present jul", "date", "united", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "llc name", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "href", "show process", "file", "general", "local", "path", "memory dumping", "entries", "icmp delphi", "showing", "delete", "yara detections", "windows nt", "wow64", "khtml", "gecko", "dns query", "packing t1045", "ransom", "cve", "palantir", "remote", "graham" ], "references": [ "Amnesty.org | remote.amnesty.org", "tulach.cc", "Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP", "Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http", "Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available", "Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi", "Delphi This program must be run under Win32 Compilers", "More IP\u2019s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de", "http://www.yixun.com/getkey {\"privateKey\": \"JMVRar4COFWb3eKZ\"}", "Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey", "http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co", "ipv4bot.whatismyipaddress.com", "helloprismatic.com", "https://palantir-staging.staging.candidate.app.paulsjob.ai/", "Brian Sabey", "Christopher P. \u2018Buzz\u2019 Ahmann" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Ransom:Win32/GandCrab", "display_name": "Ransom:Win32/GandCrab", "target": "/malware/Ransom:Win32/GandCrab" }, { "id": "CVE-2023-2868", "display_name": "CVE-2023-2868", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 429, "FileHash-SHA1": 341, "FileHash-SHA256": 2766, "URL": 6976, "domain": 1151, "CVE": 2, "email": 3, "hostname": 2913, "SSLCertFingerprint": 4 }, "indicator_count": 14585, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a49e0c2d33c785eb6247a", "name": "Python Initiated connection | Spyware", "description": "Trojan[Spy]:Win/QQWare.AM - https://r.clk71.com/s.ashx?ms=AZ71:207998_143310&e=diemerd@usengineering.com&eId=1338769034&c=h&url=http://e.snd65.com/cl/22/SCM/Exposing_Malware_in%20Linux-Based_Multi-Cloud_Environments_R1Final.pdf\nSigma:\n\u2022 Python Initiated Connection by frack113 (critical)\n\u2022 Failed Code Integrity Checks by Thomas Patzke\n\u2022 Creation of an Executable by an Executable by frack113 |\n Yara: \n MAL_CN_FlyStudio_May18_1 from ruleset crime_floxif_flystudio by Florian Roth (Nextron Systems) S_MultiFunction_Scanners_s from ruleset gen_cn_hacktools by Florian Roth (Nextron Systems) UPX from ruleset UPX by kevoreilly |\nWindows_Generic_Threat_bc6ae28d from ruleset Windows_Generic_Threat by Elastic Security", "modified": "2025-07-12T03:01:48.497000", "created": "2025-06-12T03:30:40.943000", "tags": [ "ta0004 defense", "evasion ta0005", "get http", "resolved ips", "post http", "dns resolutions", "number", "cus cndigicert", "tls rsa", "sha256", "ca1 odigicert", "inc subject", "cus lsan", "stcalifornia", "files", "pdf document", "verdict", "status url", "ta0002 defense", "ta0009 command", "control ta0011", "file type", "copyright", "shell" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 112, "FileHash-SHA1": 91, "FileHash-SHA256": 467, "URL": 15, "domain": 79, "email": 1, "hostname": 247 }, "indicator_count": 1012, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "clk75.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "clk75.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780337754.4598327 }