{ "type": "URL", "indicator": "https://172.245.27.233/j.ad", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://172.245.27.233/j.ad", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3724449862, "indicator": "https://172.245.27.233/j.ad", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bfd25008236bd6f079e1f6", "name": "ACTIVIDAD MALICIOSA | Relacionada con Cobalt Strike 25-07-2023", "description": "Cobalt Strike es una herramienta usada para detectar vulnerabilidades de acceso al sistema. La herramienta en s\u00ed se usa normalmente para pruebas de software y para encontrar varios errores y fallos de seguridad. Sin embargo, el problema viene cuando los ciberdelincuentes se aprovechan de tales herramientas y Cobalt Strike no es una excepci\u00f3n Seg\u00fan la investigaci\u00f3n, esas personas env\u00edan cientos de miles de correos basura con adjuntos maliciosos Microsoft Word dise\u00f1ados para inyectar Cobalt Strike en el sistema.", "modified": "2023-08-24T13:04:55.815000", "created": "2023-07-25T13:46:56.393000", "tags": [ "cobalt strike", "cobaltstrike", "tencen", "alibab", "hwcsnet huawei", "cloud service", "limite", "kaopuhk kaopu", "cloud hk", "multaasn1 drbra", "discovery", "ta0005", "ta0003", "ta0009", "ta0004", "ta0007", "ta0008", "ta0001", "t1001", "t1003" ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 227, "domain": 7, "hostname": 22 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1013 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "voyour-cams.xww.de", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Lokibot", "Worm:win32/benjamin", "Ghost rat", "Raspberry robin", "Cobalt strike - s0154", "Roshtyak" ], "industries": [], "unique_indicators": 17166 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/172.245.27.233", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "843 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bfd25008236bd6f079e1f6", "name": "ACTIVIDAD MALICIOSA | Relacionada con Cobalt Strike 25-07-2023", "description": "Cobalt Strike es una herramienta usada para detectar vulnerabilidades de acceso al sistema. La herramienta en s\u00ed se usa normalmente para pruebas de software y para encontrar varios errores y fallos de seguridad. Sin embargo, el problema viene cuando los ciberdelincuentes se aprovechan de tales herramientas y Cobalt Strike no es una excepci\u00f3n Seg\u00fan la investigaci\u00f3n, esas personas env\u00edan cientos de miles de correos basura con adjuntos maliciosos Microsoft Word dise\u00f1ados para inyectar Cobalt Strike en el sistema.", "modified": "2023-08-24T13:04:55.815000", "created": "2023-07-25T13:46:56.393000", "tags": [ "cobalt strike", "cobaltstrike", "tencen", "alibab", "hwcsnet huawei", "cloud service", "limite", "kaopuhk kaopu", "cloud hk", "multaasn1 drbra", "discovery", "ta0005", "ta0003", "ta0009", "ta0004", "ta0007", "ta0008", "ta0001", "t1001", "t1003" ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 227, "domain": 7, "hostname": 22 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1013 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://172.245.27.233/j.ad", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://172.245.27.233/j.ad", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780423887.5635512 }