{ "type": "Domain", "indicator": "ernational.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ernational.com", "alexa": "http://www.alexa.com/siteinfo/ernational.com", "indicator": "ernational.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3421986457, "indicator": "ernational.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69c0bde1bb830f573c2e86c5", "name": "Malware Filter - Phishing List - 22-03-2026", "description": "", "modified": "2026-03-23T04:13:21.154000", "created": "2026-03-23T04:13:21.154000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 129, "domain": 79 }, "indicator_count": 208, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "69 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b92dca4e6c505e4fc9f", "name": "hmmm well here's an interesting collection - cant be good thou", "description": "", "modified": "2023-12-06T14:56:18.197000", "created": "2023-12-06T14:56:18.197000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 203, "FileHash-SHA256": 238, "domain": 228, "URL": 514 }, "indicator_count": 1183, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62546c170788831d1b8f5860", "name": "hmmm well here's an interesting collection - cant be good thou", "description": "ocsp.pk vt google search results x 4 defo a lot of very short domains and a lot of typo squatting domains", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T17:57:43.813000", "tags": [ "ts val", "flags", "unknown", "ip6 fe80", "icmp6", "out ethertype", "h0f0", "e0c0a", "ei6oa", "cname", "file format", "ocsp.pk" ], "references": [ "21:13:30.518992 IP 10.186.117.95.1578 > 128.210.11.57.53: 2684+ ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029 ...", "07:09:12.821315 IP 192.168.1.132.31021 > 192.168.1.1.53: 415+ A ... milab.cs.purdue.edu File Format: text/plain 0x0200: 861d 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0210: 692e 676f 6f67 2f47 5453 4749 4147 3330 i.goog/GTSGIAG30 0x0220: 1d06 0355 1d0e", "19:31:39.739463 IP 10.186.117.95.20129 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "21:11:40.720930 IP 10.186.117.95.23185 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "http://milab.cs.purdue.edu/media/tasklog/e955eceb-a623-424f-9067-9cbb00e1ba93/CEXP_15519006996bbfc155-775c-4bde-9e5c-cccca344ce12_esp.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 514, "hostname": 203, "domain": 228, "FileHash-SHA256": 238 }, "indicator_count": 1183, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "http://milab.cs.purdue.edu/media/tasklog/e955eceb-a623-424f-9067-9cbb00e1ba93/CEXP_15519006996bbfc155-775c-4bde-9e5c-cccca344ce12_esp.txt", "assassinationmarkets.com", "21:13:30.518992 IP 10.186.117.95.1578 > 128.210.11.57.53: 2684+ ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029 ...", "https://id.security.trackid", "19:31:39.739463 IP 10.186.117.95.20129 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75", "mortis.com", "07:09:12.821315 IP 192.168.1.132.31021 > 192.168.1.1.53: 415+ A ... milab.cs.purdue.edu File Format: text/plain 0x0200: 861d 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0210: 692e 676f 6f67 2f47 5453 4749 4147 3330 i.goog/GTSGIAG30 0x0220: 1d06 0355 1d0e", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "21:11:40.720930 IP 10.186.117.95.23185 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "I unintentionally made the first pulse Public." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win32:kryptik-pll", "Win.malware.tofsee-6880878-0", "Tofsee", "Backdoor:win32/tofsee.t", "Trojan:win32/emotet.kds!mtb", "Trojan:win32/emotet.pc!mtb" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69c0bde1bb830f573c2e86c5", "name": "Malware Filter - Phishing List - 22-03-2026", "description": "", "modified": "2026-03-23T04:13:21.154000", "created": "2026-03-23T04:13:21.154000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 129, "domain": 79 }, "indicator_count": 208, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "69 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708b92dca4e6c505e4fc9f", "name": "hmmm well here's an interesting collection - cant be good thou", "description": "", "modified": "2023-12-06T14:56:18.197000", "created": "2023-12-06T14:56:18.197000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 203, "FileHash-SHA256": 238, "domain": 228, "URL": 514 }, "indicator_count": 1183, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62546c170788831d1b8f5860", "name": "hmmm well here's an interesting collection - cant be good thou", "description": "ocsp.pk vt google search results x 4 defo a lot of very short domains and a lot of typo squatting domains", "modified": "2022-05-11T00:02:13.446000", "created": "2022-04-11T17:57:43.813000", "tags": [ "ts val", "flags", "unknown", "ip6 fe80", "icmp6", "out ethertype", "h0f0", "e0c0a", "ei6oa", "cname", "file format", "ocsp.pk" ], "references": [ "21:13:30.518992 IP 10.186.117.95.1578 > 128.210.11.57.53: 2684+ ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029 ...", "07:09:12.821315 IP 192.168.1.132.31021 > 192.168.1.1.53: 415+ A ... milab.cs.purdue.edu File Format: text/plain 0x0200: 861d 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0210: 692e 676f 6f67 2f47 5453 4749 4147 3330 i.goog/GTSGIAG30 0x0220: 1d06 0355 1d0e", "19:31:39.739463 IP 10.186.117.95.20129 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "21:11:40.720930 IP 10.186.117.95.23185 > 128.210.11.57.53 ... milab.cs.purdue.edu File Format: text/plain 0x0170: 8619 6874 7470 3a2f 2f6f 6373 702e 706b ..http://ocsp.pk 0x0180: 692e 676f 6f67 2f67 7372 3230 3206 0355 i.goog/gsr202..U 0x0190: 1d1f 042b 3029", "http://milab.cs.purdue.edu/media/tasklog/e955eceb-a623-424f-9067-9cbb00e1ba93/CEXP_15519006996bbfc155-775c-4bde-9e5c-cccca344ce12_esp.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 514, "hostname": 203, "domain": 228, "FileHash-SHA256": 238 }, "indicator_count": 1183, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ernational.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ernational.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780255541.4041996 }