{ "type": "Domain", "indicator": "grnaeil.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/grnaeil.com", "alexa": "http://www.alexa.com/siteinfo/grnaeil.com", "indicator": "grnaeil.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2131722223, "indicator": "grnaeil.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "5e0b9895c5ed003a85210202", "name": "Microsoft Takes Down Thallium (APT37) Domains", "description": "Collection of Infrastructure taken down, plus potentially related based on infra overlapping and other relations.", "modified": "2020-12-02T19:07:31.733000", "created": "2019-12-31T18:51:01.497000", "tags": [ "DPRK_APT", "North Korea" ], "references": [ "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://twitter.com/jfslowik/status/1212097943550873600" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 118, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "domain": 71, "hostname": 7 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387055, "modified_text": "2008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387051, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d68ffff718c253183ab84f1", "name": "Continued Konni attacks", "description": "Continued activity from attackers linked to North Korea against Crypto-Currency users, and governments.", "modified": "2019-09-23T08:11:59.302000", "created": "2019-08-30T10:52:47.138000", "tags": [ "north korea", "mobile", "bitcoin" ], "references": [ "https://blog.alyac.co.kr/2486", "https://twitter.com/Rmy_Reserve/status/1175989476155215878" ], "public": 1, "adversary": "Konni", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 41, "FileHash-SHA256": 14, "email": 17, "FileHash-MD5": 20, "domain": 37, "hostname": 10, "FileHash-SHA1": 2 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 387078, "modified_text": "2445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d6d3ae5a52ded457b61b5b0", "name": "North Korean attacks against Crypto-Currency users", "description": "", "modified": "2019-09-11T11:47:16.466000", "created": "2019-09-02T15:53:09.704000", "tags": [], "references": [ "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28616" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "hostname": 30, "domain": 11, "URL": 7, "FileHash-MD5": 31, "FileHash-SHA256": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 387077, "modified_text": "2456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/", "https://twitter.com/kyleehmke/status/1212119523077349378", "https://twitter.com/Rmy_Reserve/status/1175989476155215878", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://blog.alyac.co.kr/2486", "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28616", "https://twitter.com/jfslowik/status/1212097943550873600" ], "related": { "alienvault": { "adversary": [ "Konni", "Thallium", "Kimsuky", "APT37" ], "malware_families": [], "industries": [ "Crypto" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "5e0b9895c5ed003a85210202", "name": "Microsoft Takes Down Thallium (APT37) Domains", "description": "Collection of Infrastructure taken down, plus potentially related based on infra overlapping and other relations.", "modified": "2020-12-02T19:07:31.733000", "created": "2019-12-31T18:51:01.497000", "tags": [ "DPRK_APT", "North Korea" ], "references": [ "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://twitter.com/jfslowik/status/1212097943550873600" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 118, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "domain": 71, "hostname": 7 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387055, "modified_text": "2008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387051, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d68ffff718c253183ab84f1", "name": "Continued Konni attacks", "description": "Continued activity from attackers linked to North Korea against Crypto-Currency users, and governments.", "modified": "2019-09-23T08:11:59.302000", "created": "2019-08-30T10:52:47.138000", "tags": [ "north korea", "mobile", "bitcoin" ], "references": [ "https://blog.alyac.co.kr/2486", "https://twitter.com/Rmy_Reserve/status/1175989476155215878" ], "public": 1, "adversary": "Konni", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 41, "FileHash-SHA256": 14, "email": 17, "FileHash-MD5": 20, "domain": 37, "hostname": 10, "FileHash-SHA1": 2 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 387078, "modified_text": "2445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d6d3ae5a52ded457b61b5b0", "name": "North Korean attacks against Crypto-Currency users", "description": "", "modified": "2019-09-11T11:47:16.466000", "created": "2019-09-02T15:53:09.704000", "tags": [], "references": [ "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28616" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "hostname": 30, "domain": 11, "URL": 7, "FileHash-MD5": 31, "FileHash-SHA256": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 387077, "modified_text": "2456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "grnaeil.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "grnaeil.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780475277.0192115 }