{ "type": "URL", "indicator": "https://47.100.131.229/pixel.gif", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://47.100.131.229/pixel.gif", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3634428217, "indicator": "https://47.100.131.229/pixel.gif", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f017041f697d73cca5e659", "name": "Twitter Feed - drb_ra - 17-02-2023", "description": "", "modified": "2023-03-20T00:01:17.081000", "created": "2023-02-18T00:08:36.727000", "tags": [ "CobaltStrike" ], "references": [ "https://twitter.com/drb_ra/status/1626407758051278849", "https://twitter.com/drb_ra/status/1626409577452281857", "https://twitter.com/drb_ra/status/1626409600898502657", "https://twitter.com/drb_ra/status/1626409840267481089", "https://twitter.com/drb_ra/status/1626553209757089795", "https://twitter.com/drb_ra/status/1626554110693482496", "https://twitter.com/drb_ra/status/1626558875712331777", "https://twitter.com/drb_ra/status/1626560141104496640", "https://twitter.com/drb_ra/status/1626561846089072641", "https://twitter.com/drb_ra/status/1626564430182989824", "https://twitter.com/drb_ra/status/1626586779062247424", "https://twitter.com/drb_ra/status/1626586846573760512", "https://twitter.com/drb_ra/status/1626587020603850754", "https://twitter.com/drb_ra/status/1626587203903295491", "https://twitter.com/drb_ra/status/1626587243774377984", "https://twitter.com/drb_ra/status/1626587383889293312", "https://twitter.com/drb_ra/status/1626587458489192451", "https://twitter.com/drb_ra/status/1626587739570450435", "https://twitter.com/drb_ra/status/1626589376997388293", "https://twitter.com/drb_ra/status/1626589472585560066", "https://twitter.com/drb_ra/status/1626589626134851586", "https://twitter.com/drb_ra/status/1626640908375453696", "https://twitter.com/drb_ra/status/1626641304758194188", "https://twitter.com/drb_ra/status/1626642301928759296", "https://twitter.com/drb_ra/status/1626642751314968576", "https://twitter.com/drb_ra/status/1626643280988340224", "https://twitter.com/drb_ra/status/1626643606478983171", "https://twitter.com/drb_ra/status/1626644572993425433", "https://twitter.com/drb_ra/status/1626645201866395660", "https://twitter.com/drb_ra/status/1626647260992835597", "https://twitter.com/drb_ra/status/1626648917751353345", "https://twitter.com/drb_ra/status/1626650630558257170", "https://twitter.com/drb_ra/status/1626652362667397126", "https://twitter.com/drb_ra/status/1626652541319581716", "https://twitter.com/drb_ra/status/1626654042821632000", "https://twitter.com/drb_ra/status/1626654106944213011", "https://twitter.com/drb_ra/status/1626655626074984449", "https://twitter.com/drb_ra/status/1626655968418271233", "https://twitter.com/drb_ra/status/1626672323376869378", "https://twitter.com/drb_ra/status/1626672400166182926", "https://twitter.com/drb_ra/status/1626672466582986770", "https://twitter.com/drb_ra/status/1626672611949174786", "https://twitter.com/drb_ra/status/1626672642353684491", "https://twitter.com/drb_ra/status/1626672701770194959", "https://twitter.com/drb_ra/status/1626672862386872337", "https://twitter.com/drb_ra/status/1626673209176121354", "https://twitter.com/drb_ra/status/1626673809393606679", "https://twitter.com/drb_ra/status/1626674178483970056", "https://twitter.com/drb_ra/status/1626674436467220489" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/drb_ra/status/1626560141104496640", "https://twitter.com/drb_ra/status/1626672400166182926", "https://twitter.com/drb_ra/status/1626644572993425433", "https://twitter.com/drb_ra/status/1626409840267481089", "https://twitter.com/drb_ra/status/1626672323376869378", "https://twitter.com/drb_ra/status/1626564430182989824", "https://twitter.com/drb_ra/status/1626589376997388293", "https://twitter.com/drb_ra/status/1626558875712331777", "https://twitter.com/drb_ra/status/1626652362667397126", "https://twitter.com/drb_ra/status/1626587243774377984", "https://twitter.com/drb_ra/status/1626648917751353345", "https://twitter.com/drb_ra/status/1626640908375453696", "https://twitter.com/drb_ra/status/1626673209176121354", "https://twitter.com/drb_ra/status/1626674436467220489", "https://twitter.com/drb_ra/status/1626672862386872337", "https://twitter.com/drb_ra/status/1626587203903295491", "https://twitter.com/drb_ra/status/1626586846573760512", "https://twitter.com/drb_ra/status/1626587383889293312", "https://twitter.com/drb_ra/status/1626642301928759296", "https://twitter.com/drb_ra/status/1626672701770194959", "https://twitter.com/drb_ra/status/1626586779062247424", "https://twitter.com/drb_ra/status/1626641304758194188", "https://twitter.com/drb_ra/status/1626674178483970056", "https://twitter.com/drb_ra/status/1626554110693482496", "https://twitter.com/drb_ra/status/1626407758051278849", "https://twitter.com/drb_ra/status/1626589626134851586", "https://twitter.com/drb_ra/status/1626409600898502657", "https://twitter.com/drb_ra/status/1626672642353684491", "https://twitter.com/drb_ra/status/1626655968418271233", "https://twitter.com/drb_ra/status/1626561846089072641", "https://twitter.com/drb_ra/status/1626654042821632000", "https://twitter.com/drb_ra/status/1626553209757089795", "https://twitter.com/drb_ra/status/1626587020603850754", "https://twitter.com/drb_ra/status/1626645201866395660", "https://twitter.com/drb_ra/status/1626643606478983171", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude", "https://twitter.com/drb_ra/status/1626650630558257170", "https://twitter.com/drb_ra/status/1626587458489192451", "https://twitter.com/drb_ra/status/1626654106944213011", "https://twitter.com/drb_ra/status/1626672466582986770", "https://twitter.com/drb_ra/status/1626589472585560066", "https://twitter.com/drb_ra/status/1626655626074984449", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "voyour-cams.xww.de", "https://twitter.com/drb_ra/status/1626652541319581716", "https://twitter.com/drb_ra/status/1626672611949174786", "https://twitter.com/drb_ra/status/1626587739570450435", "https://twitter.com/drb_ra/status/1626643280988340224", "https://twitter.com/drb_ra/status/1626673809393606679", "https://twitter.com/drb_ra/status/1626409577452281857", "https://twitter.com/drb_ra/status/1626647260992835597", "https://twitter.com/drb_ra/status/1626642751314968576" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ghost rat", "Raspberry robin", "Worm:win32/benjamin", "Lokibot", "Roshtyak" ], "industries": [], "unique_indicators": 16853 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/47.100.131.229", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "844 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f017041f697d73cca5e659", "name": "Twitter Feed - drb_ra - 17-02-2023", "description": "", "modified": "2023-03-20T00:01:17.081000", "created": "2023-02-18T00:08:36.727000", "tags": [ "CobaltStrike" ], "references": [ "https://twitter.com/drb_ra/status/1626407758051278849", "https://twitter.com/drb_ra/status/1626409577452281857", "https://twitter.com/drb_ra/status/1626409600898502657", "https://twitter.com/drb_ra/status/1626409840267481089", "https://twitter.com/drb_ra/status/1626553209757089795", "https://twitter.com/drb_ra/status/1626554110693482496", "https://twitter.com/drb_ra/status/1626558875712331777", "https://twitter.com/drb_ra/status/1626560141104496640", "https://twitter.com/drb_ra/status/1626561846089072641", "https://twitter.com/drb_ra/status/1626564430182989824", "https://twitter.com/drb_ra/status/1626586779062247424", "https://twitter.com/drb_ra/status/1626586846573760512", "https://twitter.com/drb_ra/status/1626587020603850754", "https://twitter.com/drb_ra/status/1626587203903295491", "https://twitter.com/drb_ra/status/1626587243774377984", "https://twitter.com/drb_ra/status/1626587383889293312", "https://twitter.com/drb_ra/status/1626587458489192451", "https://twitter.com/drb_ra/status/1626587739570450435", "https://twitter.com/drb_ra/status/1626589376997388293", "https://twitter.com/drb_ra/status/1626589472585560066", "https://twitter.com/drb_ra/status/1626589626134851586", "https://twitter.com/drb_ra/status/1626640908375453696", "https://twitter.com/drb_ra/status/1626641304758194188", "https://twitter.com/drb_ra/status/1626642301928759296", "https://twitter.com/drb_ra/status/1626642751314968576", "https://twitter.com/drb_ra/status/1626643280988340224", "https://twitter.com/drb_ra/status/1626643606478983171", "https://twitter.com/drb_ra/status/1626644572993425433", "https://twitter.com/drb_ra/status/1626645201866395660", "https://twitter.com/drb_ra/status/1626647260992835597", "https://twitter.com/drb_ra/status/1626648917751353345", "https://twitter.com/drb_ra/status/1626650630558257170", "https://twitter.com/drb_ra/status/1626652362667397126", "https://twitter.com/drb_ra/status/1626652541319581716", "https://twitter.com/drb_ra/status/1626654042821632000", "https://twitter.com/drb_ra/status/1626654106944213011", "https://twitter.com/drb_ra/status/1626655626074984449", "https://twitter.com/drb_ra/status/1626655968418271233", "https://twitter.com/drb_ra/status/1626672323376869378", "https://twitter.com/drb_ra/status/1626672400166182926", "https://twitter.com/drb_ra/status/1626672466582986770", "https://twitter.com/drb_ra/status/1626672611949174786", "https://twitter.com/drb_ra/status/1626672642353684491", "https://twitter.com/drb_ra/status/1626672701770194959", "https://twitter.com/drb_ra/status/1626672862386872337", "https://twitter.com/drb_ra/status/1626673209176121354", "https://twitter.com/drb_ra/status/1626673809393606679", "https://twitter.com/drb_ra/status/1626674178483970056", "https://twitter.com/drb_ra/status/1626674436467220489" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://47.100.131.229/pixel.gif", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://47.100.131.229/pixel.gif", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780532087.0162797 }