{ "type": "URL", "indicator": "http://ferventcoder.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://ferventcoder.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3749700679, "indicator": "http://ferventcoder.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f7efd15e05f08f517c1f9f", "name": "Ferventcoder.com malware server java.exe", "description": "283,000 files, communicating, 200 files, referring, all infected, worms, chargers, various malware.", "modified": "2023-10-06T08:04:19.660000", "created": "2023-09-06T03:19:45.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 141, "FileHash-SHA256": 1779, "domain": 51, "email": 1, "URL": 126, "hostname": 54 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "969 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "CVE-2022-26134", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy", "googlepassword.cmu.edu", "google.cmu.edu.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "http://matfyz.cz/ | phishing", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "128.2.42.10 'CMU' Carnegie Mellon University Server", "alohatube.xyz", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 5890 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ferventcoder.com", "whois": "http://whois.domaintools.com/ferventcoder.com", "domain": "ferventcoder.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f7efd15e05f08f517c1f9f", "name": "Ferventcoder.com malware server java.exe", "description": "283,000 files, communicating, 200 files, referring, all infected, worms, chargers, various malware.", "modified": "2023-10-06T08:04:19.660000", "created": "2023-09-06T03:19:45.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 141, "FileHash-SHA256": 1779, "domain": 51, "email": 1, "URL": 126, "hostname": 54 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "969 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://ferventcoder.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://ferventcoder.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780326371.132399 }