{
"type": "URL",
"indicator": "https://cdpapi.slurrp.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://cdpapi.slurrp.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3427296890,
"indicator": "https://cdpapi.slurrp.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 27,
"pulses": [
{
"id": "6671e5844c155814e69ba4dd",
"name": "Mirai Botnet Injection affecting Alienvault.",
"description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64",
"modified": "2024-07-18T19:02:50.386000",
"created": "2024-06-18T19:52:36.849000",
"tags": [
"problems",
"threat network",
"infrastructure",
"historical ssl",
"microsoft stuff",
"domain check",
"referrer",
"generic malware",
"injector",
"no data",
"tag count",
"fri mar",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"downloader",
"generic",
"united",
"as14315",
"passive dns",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"files",
"america asn",
"unknown",
"ransom",
"body",
"coinminer",
"malware generic",
"wed jan",
"first",
"status",
"creation date",
"search",
"date",
"expiration date",
"name servers",
"next",
"mirai",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"reverse dns",
"location lao",
"viet nam",
"domain",
"all search",
"otx scoreblue",
"hostname",
"files ip",
"lazarus",
"as7552 viettel",
"vietnam unknown",
"win32",
"worm",
"win32sfone jul",
"vietnam",
"etag",
"telecom",
"as16625 akamai",
"as20940",
"germany",
"united kingdom",
"singapore",
"as20546 soprado",
"hong kong",
"as45102 alibaba",
"taobao network",
"cname",
"aaaa",
"entries",
"showing",
"a domains",
"as38731 vietel",
"plesk",
"a li",
"default page",
"plesk a",
"mirai variant",
"useragent",
"apache",
"accept",
"hello",
"create c",
"read c",
"delete",
"write",
"default",
"create",
"show",
"medium",
"dock",
"execution",
"copy",
"xport",
"address",
"as131392",
"cape",
"orsam",
"malware",
"script urls",
"moved",
"record value",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malicious site",
"phishing site",
"malicious url",
"opencandy",
"exploit",
"agent",
"phishing",
"acint",
"iframe",
"crack",
"conduit",
"artemis",
"riskware",
"mimikatz",
"swrort",
"downldr",
"systweak",
"behav",
"tiggre",
"genkryptik",
"presenoker",
"filetour",
"cleaner",
"wacatac",
"outbreak",
"installcore",
"iobit",
"rostpay",
"dropper",
"mediaget",
"related pulses",
"whois",
"related",
"msil",
"zombie",
"dridex",
"location viet",
"pulse submit",
"url analysis",
"content",
"google tag",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"deep malware",
"iframes",
"trackers",
"external-resources",
"text/html",
"elf info",
"header class",
"elf64 data",
"header version",
"os abi",
"unix",
"v object",
"file type",
"exec",
"executable file",
"progbits",
"type address",
"offset size",
"flags",
"null",
"nobits",
"strtab",
"ip detections",
"country",
"us bundled",
"detections file",
"name",
"graph summary",
"get hello",
"jaws webserver",
"outbound",
"mvpower dvr",
"shell uce",
"inbound",
"activity mirai",
"mirai",
"info",
"performs dns",
"mitre att",
"access ta0006",
"os credential",
"dumping t1003",
"enumerates",
"command",
"control ta0011",
"protocol t1071",
"protocol t1095",
"relacionada",
"mirai malware",
"mirai 04022024",
"nciipc",
"ip reputaion",
"msie",
"windows nt",
"slcc2",
"media center",
"china as37963",
"simplified",
"trojanspy",
"virustotal",
"panda",
"detections type",
"shell",
"javascript",
"dns replication",
"files referring",
"lookups",
"as7552",
"vhash",
"ssdeep",
"magic elf",
"sysv",
"trid elf",
"executable",
"linux",
"elf executable",
"loccel1",
"echobot",
"bashlite",
"malwarebazaar",
"echobot malware",
"win32 exe",
"magic msdos",
"pe32 executable",
"intel",
"ms windows",
"trid dos",
"compiler",
"delphi",
"serial number",
"algorithm",
"thumbprint",
"valid from",
"code signing",
"from",
"microsoft root",
"name microsoft",
"verisign time",
"stamping",
"contained",
"info sections",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"regsetvalueexa",
"type rtrcdata",
"sha256 file",
"threat roundup",
"october",
"august",
"june",
"september",
"highly targeted",
"cyberstalking",
"round",
"december",
"sneaky server",
"facebook",
"stealer",
"agent tesla",
"pony",
"april",
"whitelisted",
"encrypt",
"targeting",
"tsara brashears",
"otx",
"alienvault",
"memcommit",
"regsz",
"regopenkeyexw",
"english",
"module load",
"t1129",
"t1082",
"windows module",
"dlls",
"redline stealer",
"updater",
"v3 serial",
"number",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"data redacted",
"cloudflare",
"redacted",
"for privacy",
"code",
"server",
"registrar abuse",
"redacted for",
"postal code",
"registrant name",
"red team",
"shit",
"logistics",
"cyber defense",
"gootloader",
"march",
"sinkhole",
"just",
"ramnit",
"netsupport rat",
"microsoft",
"vault",
"karen",
"gifts",
"hidden privacy",
"threats",
"malicious",
"darkgate",
"core",
"hacktool",
"emotet"
],
"references": [
"https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.",
"https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026",
"https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355",
"https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz",
"Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz",
"CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45",
"https://otx.alienvault.com/indicator/domain/bunny.net",
"https://otx.alienvault.com/indicator/ip/210.211.117.205",
"https://otx.alienvault.com/indicator/ip/143.244.50.212",
"https://otx.alienvault.com/indicator/ip/125.235.4.59",
"AV Detection: ELF:Mirai-GH\\ [Trj]",
"IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST",
"IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)",
"IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout",
"Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz",
"https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0",
"cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique",
"Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen",
"Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen",
"Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems",
"Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)",
"Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"Was anyone else notified? I'm not sure why I was.",
"Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.",
"CS Sigma: Matches rule Python Initiated Connection by frack113"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Unix.Trojan.Mirai-9441505-0",
"display_name": "Unix.Trojan.Mirai-9441505-0",
"target": null
},
{
"id": "ALF:E5.SpikeAex.rhh_mcv",
"display_name": "ALF:E5.SpikeAex.rhh_mcv",
"target": null
},
{
"id": "Win.Dropper.Bulz-9910065-0",
"display_name": "Win.Dropper.Bulz-9910065-0",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Win.Dropper.Autoit-6688751-0",
"display_name": "Win.Dropper.Autoit-6688751-0",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Win.Dropper.Dridex-9986041-0",
"display_name": "Win.Dropper.Dridex-9986041-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Zombie",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Worm:Win32/Sfone.A",
"display_name": "Worm:Win32/Sfone.A",
"target": "/malware/Worm:Win32/Sfone.A"
},
{
"id": "Worm:Win32/Sfone",
"display_name": "Worm:Win32/Sfone",
"target": "/malware/Worm:Win32/Sfone"
},
{
"id": "Win.Malware.Bbabdcdc-7358312-0",
"display_name": "Win.Malware.Bbabdcdc-7358312-0",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "trojan.mirai/fszhh",
"display_name": "trojan.mirai/fszhh",
"target": null
},
{
"id": "DDOS:Linux/Mirai",
"display_name": "DDOS:Linux/Mirai",
"target": "/malware/DDOS:Linux/Mirai"
},
{
"id": "ANDROID/AVE.Mirai.fszhh",
"display_name": "ANDROID/AVE.Mirai.fszhh",
"target": null
},
{
"id": "Flyagent L",
"display_name": "Flyagent L",
"target": null
},
{
"id": "Win-Trojan/Malpacked5.Gen",
"display_name": "Win-Trojan/Malpacked5.Gen",
"target": null
},
{
"id": "Atros3.LDJ",
"display_name": "Atros3.LDJ",
"target": null
},
{
"id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted",
"display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted",
"target": null
},
{
"id": "TrojanSpy:Win32/Gucotut.A",
"display_name": "TrojanSpy:Win32/Gucotut.A",
"target": "/malware/TrojanSpy:Win32/Gucotut.A"
},
{
"id": "W32/Pidgeon-A",
"display_name": "W32/Pidgeon-A",
"target": null
},
{
"id": "Variant.Zusy.151902",
"display_name": "Variant.Zusy.151902",
"target": null
},
{
"id": "trojan.mirai/fedr",
"display_name": "trojan.mirai/fedr",
"target": null
},
{
"id": "Win.Malware.Trojanx-9862538-0",
"display_name": "Win.Malware.Trojanx-9862538-0",
"target": null
},
{
"id": "Win32:PWSX-gen\\ [Trj]",
"display_name": "Win32:PWSX-gen\\ [Trj]",
"target": null
},
{
"id": "virus.ramnit/nimnul",
"display_name": "virus.ramnit/nimnul",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 351,
"FileHash-SHA1": 349,
"FileHash-SHA256": 3715,
"domain": 3326,
"hostname": 5200,
"URL": 13151,
"email": 9,
"CVE": 7,
"CIDR": 2
},
"indicator_count": 26110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 243,
"modified_text": "640 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570913a03b8f1cdc6abe32e",
"name": "btloader.com - yep clean as a babies bum",
"description": "",
"modified": "2023-12-06T15:20:26.615000",
"created": "2023-12-06T15:20:26.615000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 546,
"domain": 162,
"URL": 1042,
"hostname": 282,
"FileHash-MD5": 251,
"FileHash-SHA1": 224
},
"indicator_count": 2507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090fe5e8c659c7e5cb094",
"name": "http://e.ca/?e.ca=!1:f.stopPropagation - is there no end to this shit RU/CN/UA/GB/ net sh",
"description": "",
"modified": "2023-12-06T15:19:26.152000",
"created": "2023-12-06T15:19:26.152000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1091,
"hostname": 702,
"URL": 1728,
"domain": 279,
"CVE": 2,
"FileHash-MD5": 50,
"FileHash-SHA1": 46
},
"indicator_count": 3898,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090e5dc9b2e91369b6c56",
"name": "bunch of KR muck",
"description": "",
"modified": "2023-12-06T15:19:01.428000",
"created": "2023-12-06T15:19:01.428000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 632,
"hostname": 227,
"domain": 101,
"URL": 496
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090132deb7fd89b09d555",
"name": "a whole bunch of hell effected by the recent mozilla/firefox vulns",
"description": "",
"modified": "2023-12-06T15:15:31.177000",
"created": "2023-12-06T15:15:31.177000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 825,
"domain": 308,
"URL": 2036,
"FileHash-SHA256": 2141
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708fdef7d4b5483117bb67",
"name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances",
"description": "",
"modified": "2023-12-06T15:14:38.824000",
"created": "2023-12-06T15:14:38.824000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 812,
"domain": 110,
"hostname": 502,
"URL": 1437
},
"indicator_count": 2861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708e0601ea9f27bdebdf4b",
"name": "Merry Christmas RUs Chasers",
"description": "",
"modified": "2023-12-06T15:06:45.654000",
"created": "2023-12-06T15:06:45.654000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1727,
"CVE": 1,
"domain": 1477,
"URL": 4663,
"hostname": 1110
},
"indicator_count": 8978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708d3fec7eeee20ce02403",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "",
"modified": "2023-12-06T15:03:27.390000",
"created": "2023-12-06T15:03:27.390000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1374,
"hostname": 792,
"domain": 517,
"URL": 1529,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708cf911f044ba6f739580",
"name": "Infections start here 91.195.240.226-as47846- SEDO-DE - aid www.bbb.org",
"description": "",
"modified": "2023-12-06T15:02:16.933000",
"created": "2023-12-06T15:02:16.933000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 610,
"URL": 1279,
"email": 2,
"hostname": 375,
"domain": 172,
"FileHash-MD5": 99,
"FileHash-SHA1": 81,
"CVE": 1
},
"indicator_count": 2619,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c4f41727d49d783b766",
"name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87",
"description": "",
"modified": "2023-12-06T14:59:27.563000",
"created": "2023-12-06T14:59:27.563000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 858,
"hostname": 589,
"URL": 2061,
"domain": 301
},
"indicator_count": 3809,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c01dca4e6c505e4fca0",
"name": "Hostgator - whitelisted",
"description": "",
"modified": "2023-12-06T14:58:09.135000",
"created": "2023-12-06T14:58:09.135000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 692,
"hostname": 1339,
"domain": 1260,
"URL": 4622,
"FileHash-MD5": 3,
"FileHash-SHA1": 1
},
"indicator_count": 7917,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62f5310de81e9c86719c4606",
"name": "empr.online",
"description": "",
"modified": "2022-09-10T00:03:24.542000",
"created": "2022-08-11T16:40:45.460000",
"tags": [
"naser rony",
"alles sehr",
"aber zuerst",
"zusammen",
"nummern",
"brnette",
"blondine",
"es wre",
"reply lisa",
"parker lisa",
"empr.online"
],
"references": [
"comments on security weekly from episode on 10 Aug 2022",
"Naser Rony Naser Rony 11 hours ago Alles sehr sch\u00f6n. Aber zuerst zusammen die Nummern 10 und 1. Eine empr.ONLINE Br\u00fcnette und eine anderec Blondine. Es w\u00e4re unfair, wenn ich 4 w\u00e4hlen w\u00fcrde REPLY Lisa Parker Lisa Parker 10 hours ago \u2764Only for fans over 18 year\u2935\ufe0f Alles sehr sch\u00f6n. Aber zuerst zusammen die Nummern 10 und 1. Eine warmthhh.Online Br\u00fcnette und eine andere"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 3124,
"URL": 5818,
"hostname": 2126,
"FileHash-SHA256": 1401,
"CVE": 3,
"FileHash-MD5": 156,
"FileHash-SHA1": 135
},
"indicator_count": 12763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 392,
"modified_text": "1317 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62f2cd9eb0a80cca60963a40",
"name": "btloader.com - yep clean as a babies bum",
"description": "",
"modified": "2022-09-08T00:01:12.540000",
"created": "2022-08-09T21:11:58.646000",
"tags": [
"dongfangtoutiao",
"higeshi",
"kuaizip",
"\": [ \"http://dl.baofeng.com/baofeng5/bf5_new.exe\" ], \"match\": []"
],
"references": [
"g110e315c6ce34a02a043f315490fd5ba3975905f72874717b06e3de696641216.json",
"https://www.virustotal.com/graph/g110e315c6ce34a02a043f315490fd5ba3975905f72874717b06e3de696641216"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 162,
"hostname": 282,
"FileHash-SHA256": 546,
"URL": 1042,
"FileHash-MD5": 251,
"FileHash-SHA1": 224
},
"indicator_count": 2507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 394,
"modified_text": "1319 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62ea85a0fe61cd1af7f223a4",
"name": "http://e.ca/?e.ca=!1:f.stopPropagation - is there no end to this shit RU/CN/UA/GB/ net sh",
"description": "CVE-2021-22941\nCVE-2017-8977",
"modified": "2022-09-02T00:00:40.172000",
"created": "2022-08-03T14:26:40.603000",
"tags": [
"http://e.ca/?e.ca=!1:f.stopPropagation",
"CVE-2021-22941",
"CVE-2017-8977"
],
"references": [
"https://hybrid-analysis.com/sample/82b38c9312deb8005122fb331f52898190ac29e26bd464b169f4c60599836f14/62e9cf2b9226df6fea34c0de",
"CVE-2021-22941",
"http://e.ca/?e.ca=!1:f.stopPropagation",
"CVE-2017-8977",
"https://books.google.co.uk/books?id=S3kWAAAAIAAJ&dq=university%2Bof%2Bhuesca&pg=PR3&redir_esc=y#v%3Donepage%26q%3Duniversity%20of%20huesca%26f%3Dfalse"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1091,
"hostname": 702,
"URL": 1728,
"domain": 279,
"CVE": 2,
"FileHash-MD5": 50,
"FileHash-SHA1": 46
},
"indicator_count": 3898,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1325 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62e5b8d7e77537fbb1629232",
"name": "dnserver.co.kr",
"description": "",
"modified": "2022-08-29T00:01:52.177000",
"created": "2022-07-30T23:03:51.135000",
"tags": [
"http://www.qy0531.com/gb513376_1473435.htm",
"kr"
],
"references": [
"http://www.qy0531.com/gb513376_1473435.htm"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1933,
"hostname": 648,
"domain": 741,
"FileHash-SHA256": 250
},
"indicator_count": 3572,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 392,
"modified_text": "1329 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62e30981f283ef6de2035dce",
"name": "bunch of KR muck",
"description": "",
"modified": "2022-08-27T00:02:51.006000",
"created": "2022-07-28T22:11:13.491000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 632,
"URL": 496,
"hostname": 227,
"domain": 101
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1331 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62dd3c2d995db8d35f0b4e48",
"name": "How tracker/3rd party abuse translates to much bigger crime netw",
"description": "ooo I wonder how much malware is being delivered by numerous means masked in whitelisted and false positive ip's",
"modified": "2022-08-23T00:02:12.321000",
"created": "2022-07-24T12:33:49.953000",
"tags": [],
"references": [
"VT graph Json upload to otx",
"https://www.virustotal.com/graph/g4655ac448333498bac4fb8b20fed4be62d42ea86d1824fcd9401ba5b30027f57",
"can no longer create collections in account - get exceeded api allowance even on just 28 req's in 24 hours",
"https://udc-neb.kampyle.com/v1/qceuv8449dzg58ptt1bhda9g8ue19c7s/track"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1137,
"domain": 138,
"hostname": 421,
"FileHash-SHA256": 893,
"CVE": 1
},
"indicator_count": 2590,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 393,
"modified_text": "1335 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62c035df9d1c1df8ca3fcaea",
"name": "a whole bunch of hell effected by the recent mozilla/firefox vulns",
"description": "",
"modified": "2022-08-01T00:01:42.977000",
"created": "2022-07-02T12:11:11.592000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 825,
"FileHash-SHA256": 2141,
"domain": 308,
"URL": 2036
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 396,
"modified_text": "1357 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62bb7b6820f1de44d02cdc75",
"name": "eset.rosconnect.ru -VT Graph JSON upload",
"description": "",
"modified": "2022-07-28T00:02:14.384000",
"created": "2022-06-28T22:06:32.059000",
"tags": [
"https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332a",
"CVE-2017-11882"
],
"references": [
"CVE-2017-11882",
"https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332ac7139ae27294bc4bc2ba9728cdd62917f9"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"URL": 535,
"hostname": 128,
"FileHash-SHA256": 236,
"domain": 197
},
"indicator_count": 1097,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 392,
"modified_text": "1361 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62bb08310a8957d97aa23c30",
"name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances",
"description": "",
"modified": "2022-07-28T00:02:14.384000",
"created": "2022-06-28T13:54:57.927000",
"tags": [
"entity",
"ubotbrowser",
"20.99.132.105",
"minecraft"
],
"references": [
"https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 502,
"URL": 1437,
"domain": 110,
"FileHash-SHA256": 812
},
"indicator_count": 2861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 398,
"modified_text": "1361 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62a3caaca484317351c448ba",
"name": "JavaAppletPlugin.plugin.zip..... Downloaded from Oracle Website",
"description": "JAVA??? \n\nThe full text of the text below: \u00c2\u00a31.3bn, 1.8bn euros, 2.4bn pence, or \u00a32.2bn llyb.",
"modified": "2022-07-10T00:00:39.429000",
"created": "2022-06-10T22:50:20.127000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "W32/BotNet.K",
"display_name": "W32/BotNet.K",
"target": null
},
{
"id": "AVG Win32:Agent-ADAU [Trj]",
"display_name": "AVG Win32:Agent-ADAU [Trj]",
"target": null
},
{
"id": "malicious.2a7bf4",
"display_name": "malicious.2a7bf4",
"target": null
},
{
"id": "AI:FileInfector.A44F3C4816",
"display_name": "AI:FileInfector.A44F3C4816",
"target": null
},
{
"id": "W32/Botgor.A",
"display_name": "W32/Botgor.A",
"target": null
},
{
"id": "Trojan.Malware.121218.susgen",
"display_name": "Trojan.Malware.121218.susgen",
"target": null
},
{
"id": "Static AI - Malicious PE",
"display_name": "Static AI - Malicious PE",
"target": null
},
{
"id": "Worm.Win32.Burn.a",
"display_name": "Worm.Win32.Burn.a",
"target": null
},
{
"id": "BKDR_BOTGOR.SML",
"display_name": "BKDR_BOTGOR.SML",
"target": null
},
{
"id": "Win32.Backdoor.Agent.A",
"display_name": "Win32.Backdoor.Agent.A",
"target": null
},
{
"id": "BScope.Backdoor.Botgor",
"display_name": "BScope.Backdoor.Botgor",
"target": null
},
{
"id": "Worm/Win32.Burn.R34863",
"display_name": "Worm/Win32.Burn.R34863",
"target": null
},
{
"id": "Backdoor:Win32/Botgor.B",
"display_name": "Backdoor:Win32/Botgor.B",
"target": "/malware/Backdoor:Win32/Botgor.B"
},
{
"id": "Backdoor.Win32.Agent.ka!s1",
"display_name": "Backdoor.Win32.Agent.ka!s1",
"target": null
},
{
"id": "BDS/Agent.qva",
"display_name": "BDS/Agent.qva",
"target": null
},
{
"id": "Backdoor/Agent.bfic",
"display_name": "Backdoor/Agent.bfic",
"target": null
},
{
"id": "Win32.Trojan.Botgor.A",
"display_name": "Win32.Trojan.Botgor.A",
"target": null
},
{
"id": "Win32.ProcessHijack",
"display_name": "Win32.ProcessHijack",
"target": null
},
{
"id": "BackDoor.Siggen.46270",
"display_name": "BackDoor.Siggen.46270",
"target": null
},
{
"id": "Backdoor.Win32.Agent.~APQ@4ud5h",
"display_name": "Backdoor.Win32.Agent.~APQ@4ud5h",
"target": null
},
{
"id": "Virus.Botgor!1.D115 (CLASSIC)",
"display_name": "Virus.Botgor!1.D115 (CLASSIC)",
"target": null
},
{
"id": "Backdoor.Win32.Agent.117760.B",
"display_name": "Backdoor.Win32.Agent.117760.B",
"target": null
},
{
"id": "Worm:Win32/Botgor.18ddf561",
"display_name": "Worm:Win32/Botgor.18ddf561",
"target": "/malware/Worm:Win32/Botgor.18ddf561"
},
{
"id": "Worm.Win32.Burn.b",
"display_name": "Worm.Win32.Burn.b",
"target": null
},
{
"id": "Win.Malware.Botgor-9853222-0",
"display_name": "Win.Malware.Botgor-9853222-0",
"target": null
},
{
"id": "generic.ml",
"display_name": "generic.ml",
"target": null
},
{
"id": "ML.Attribute.HighConfidence",
"display_name": "ML.Attribute.HighConfidence",
"target": null
},
{
"id": "W32/Backdoor.UQUT-0945",
"display_name": "W32/Backdoor.UQUT-0945",
"target": null
},
{
"id": "win/malicious_confidence_100% (W)",
"display_name": "win/malicious_confidence_100% (W)",
"target": null
},
{
"id": "Trojan ( 000569271 )",
"display_name": "Trojan ( 000569271 )",
"target": null
},
{
"id": "Worm.Win32.Burn.tnPX",
"display_name": "Worm.Win32.Burn.tnPX",
"target": null
},
{
"id": "W32.AIDetect.malware2",
"display_name": "W32.AIDetect.malware2",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "MarceeS26",
"id": "133143",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1382,
"hostname": 314,
"FileHash-SHA256": 1009,
"domain": 46,
"FileHash-MD5": 163,
"FileHash-SHA1": 612
},
"indicator_count": 3526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 73,
"modified_text": "1379 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62802e2a51e813c6db82758f",
"name": "Merry Christmas RUs Chasers",
"description": "",
"modified": "2022-06-13T00:00:32.864000",
"created": "2022-05-14T22:33:14.346000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1727,
"hostname": 1110,
"URL": 4663,
"domain": 1477,
"CVE": 1
},
"indicator_count": 8978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 396,
"modified_text": "1406 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62727ce7b14807e910b72bb7",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "and that 72 ip at edgcast thats listed as false positive....\n\ud83e\udee2\ud83e\udd2f\ud83e\udd2c everything communucating with it is MALICIOUS and font and lang file corruption means the www is causing it!!!",
"modified": "2022-06-03T00:01:00.120000",
"created": "2022-05-04T13:17:27.444000",
"tags": [],
"references": [
"https://hybrid-analysis.com/sample/fcf01007f38956f164a86deda652684fe6c76c41db32f5ac38a43712615154dc/6271a3fc12c9eb6e7053caf1"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1529,
"hostname": 792,
"domain": 517,
"FileHash-SHA256": 1374,
"CVE": 2,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 397,
"modified_text": "1416 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "626c6f418117c4b20d0706e3",
"name": "Infections start here 91.195.240.226-as47846- SEDO-DE - aid www.bbb.org",
"description": "",
"modified": "2022-05-29T00:01:17.829000",
"created": "2022-04-29T23:05:37.269000",
"tags": [
"91.195.240.226",
"domain parks",
"sedo",
"chained malware",
".rel XML",
"2013"
],
"references": [
"https://hybrid-analysis.com/sample/bb17013c1d9f8e01d55b92a7cefaf20372d1c2a3483ed1d00cce091a2d30cea9/5f97708faf83fa51aa3b74de",
"https://hybrid-analysis.com/sample/d6f4e7d29e7b460e67eb5eead3e07ace89682cb8f6c5c62172ec3f46b91f88c6/60e75be8ffad6735563f1a72"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dorkingbeauty1",
"id": "80137",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1279,
"FileHash-SHA256": 610,
"domain": 172,
"hostname": 375,
"CVE": 1,
"FileHash-MD5": 99,
"FileHash-SHA1": 81,
"email": 2
},
"indicator_count": 2619,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 397,
"modified_text": "1421 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6265af4c6414d087b17443cc",
"name": "google gmail account login source code for UK teenage account",
"description": "",
"modified": "2022-05-25T00:04:03.622000",
"created": "2022-04-24T20:13:00.304000",
"tags": [],
"references": [
" link discovered by an Alienvault user who notified me they found it researching message from am active user.",
"Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz",
"AV Detection: ELF:Mirai-GH\\ [Trj]",
"IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution",
"Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz",
"https://www.googletagmanager.com/gtag/js?id=G-SXR89SKRRS&l=dataLayer&cx=c",
"IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST",
"https://bat.bing.com/bat.js",
"https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"W32/botgor.a",
"Worm/win32.burn.r34863",
"Elf:mirai-gh\\ [trj]",
"Bscope.backdoor.botgor",
"Reduceright",
"Worm:win32/botgor.18ddf561",
"Hj",
"Trojan.malware.121218.susgen",
"Bds/agent.qva",
"Generic",
"Ddos:linux/mirai",
"Generic.ml",
"Unix.trojan.mirai-9441505-0",
"Worm.win32.burn.b",
"Backdoor:win32/botgor.b",
"Ml.attribute.highconfidence",
"Backdoor.win32.agent.~apq@4ud5h",
"A variant of win32/flystudio.packed.ad potentially unwanted",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Win32.processhijack",
"Win.packer.pkr_ce1a-9980177-0",
"Ai:fileinfector.a44f3c4816",
"W32/pidgeon-a",
"Win32:pwsx-gen\\ [trj]",
"Trojan ( 000569271 )",
"W32.aidetect.malware2",
"W32/botnet.k",
"Variant.zusy.151902",
"Win.dropper.dridex-9986041-0",
"Win.dropper.autoit-6688751-0",
"Win32.backdoor.agent.a",
"Static ai - malicious pe",
"Flyagent l",
"Win.dropper.bulz-9910065-0",
"Win32:malware-gen",
"Malicious.2a7bf4",
"Android/ave.mirai.fszhh",
"Trojan.mirai/fedr",
"Trojan.mirai/fszhh",
"Worm.win32.burn.a",
"Atros3.ldj",
"Backdoor/agent.bfic",
"Backdoor.win32.agent.ka!s1",
"Worm:win32/sfone.a",
"Bkdr_botgor.sml",
"W32/backdoor.uqut-0945",
"Alf:e5.spikeaex.rhh_mcv",
"Win.malware.bbabdcdc-7358312-0",
"Win32:trojan-gen",
"Win.malware.botgor-9853222-0",
"Win.malware.trojanx-9862538-0",
"Virus.ramnit/nimnul",
"Worm.win32.burn.tnpx",
"Win32.trojan.botgor.a",
"Win/malicious_confidence_100% (w)",
"Backdoor.win32.agent.117760.b",
"Avg win32:agent-adau [trj]",
"Alf:heraklezeval:trojan:win32/zombie",
"Backdoor.siggen.46270",
"Win-trojan/malpacked5.gen",
"Virus.botgor!1.d115 (classic)",
"Worm:win32/sfone",
"Trojanspy:win32/gucotut.a"
],
"industries": [],
"unique_indicators": 81753
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/slurrp.com",
"whois": "http://whois.domaintools.com/slurrp.com",
"domain": "slurrp.com",
"hostname": "cdpapi.slurrp.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 27,
"pulses": [
{
"id": "6671e5844c155814e69ba4dd",
"name": "Mirai Botnet Injection affecting Alienvault.",
"description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64",
"modified": "2024-07-18T19:02:50.386000",
"created": "2024-06-18T19:52:36.849000",
"tags": [
"problems",
"threat network",
"infrastructure",
"historical ssl",
"microsoft stuff",
"domain check",
"referrer",
"generic malware",
"injector",
"no data",
"tag count",
"fri mar",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"downloader",
"generic",
"united",
"as14315",
"passive dns",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"urls",
"files",
"america asn",
"unknown",
"ransom",
"body",
"coinminer",
"malware generic",
"wed jan",
"first",
"status",
"creation date",
"search",
"date",
"expiration date",
"name servers",
"next",
"mirai",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"reverse dns",
"location lao",
"viet nam",
"domain",
"all search",
"otx scoreblue",
"hostname",
"files ip",
"lazarus",
"as7552 viettel",
"vietnam unknown",
"win32",
"worm",
"win32sfone jul",
"vietnam",
"etag",
"telecom",
"as16625 akamai",
"as20940",
"germany",
"united kingdom",
"singapore",
"as20546 soprado",
"hong kong",
"as45102 alibaba",
"taobao network",
"cname",
"aaaa",
"entries",
"showing",
"a domains",
"as38731 vietel",
"plesk",
"a li",
"default page",
"plesk a",
"mirai variant",
"useragent",
"apache",
"accept",
"hello",
"create c",
"read c",
"delete",
"write",
"default",
"create",
"show",
"medium",
"dock",
"execution",
"copy",
"xport",
"address",
"as131392",
"cape",
"orsam",
"malware",
"script urls",
"moved",
"record value",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malicious site",
"phishing site",
"malicious url",
"opencandy",
"exploit",
"agent",
"phishing",
"acint",
"iframe",
"crack",
"conduit",
"artemis",
"riskware",
"mimikatz",
"swrort",
"downldr",
"systweak",
"behav",
"tiggre",
"genkryptik",
"presenoker",
"filetour",
"cleaner",
"wacatac",
"outbreak",
"installcore",
"iobit",
"rostpay",
"dropper",
"mediaget",
"related pulses",
"whois",
"related",
"msil",
"zombie",
"dridex",
"location viet",
"pulse submit",
"url analysis",
"content",
"google tag",
"utc gcfezl5ynvb",
"utc na",
"utc google",
"analytics na",
"utc linkedin",
"insight tag",
"deep malware",
"iframes",
"trackers",
"external-resources",
"text/html",
"elf info",
"header class",
"elf64 data",
"header version",
"os abi",
"unix",
"v object",
"file type",
"exec",
"executable file",
"progbits",
"type address",
"offset size",
"flags",
"null",
"nobits",
"strtab",
"ip detections",
"country",
"us bundled",
"detections file",
"name",
"graph summary",
"get hello",
"jaws webserver",
"outbound",
"mvpower dvr",
"shell uce",
"inbound",
"activity mirai",
"mirai",
"info",
"performs dns",
"mitre att",
"access ta0006",
"os credential",
"dumping t1003",
"enumerates",
"command",
"control ta0011",
"protocol t1071",
"protocol t1095",
"relacionada",
"mirai malware",
"mirai 04022024",
"nciipc",
"ip reputaion",
"msie",
"windows nt",
"slcc2",
"media center",
"china as37963",
"simplified",
"trojanspy",
"virustotal",
"panda",
"detections type",
"shell",
"javascript",
"dns replication",
"files referring",
"lookups",
"as7552",
"vhash",
"ssdeep",
"magic elf",
"sysv",
"trid elf",
"executable",
"linux",
"elf executable",
"loccel1",
"echobot",
"bashlite",
"malwarebazaar",
"echobot malware",
"win32 exe",
"magic msdos",
"pe32 executable",
"intel",
"ms windows",
"trid dos",
"compiler",
"delphi",
"serial number",
"algorithm",
"thumbprint",
"valid from",
"code signing",
"from",
"microsoft root",
"name microsoft",
"verisign time",
"stamping",
"contained",
"info sections",
"name virtual",
"address virtual",
"size raw",
"size entropy",
"md5 chi2",
"regsetvalueexa",
"type rtrcdata",
"sha256 file",
"threat roundup",
"october",
"august",
"june",
"september",
"highly targeted",
"cyberstalking",
"round",
"december",
"sneaky server",
"facebook",
"stealer",
"agent tesla",
"pony",
"april",
"whitelisted",
"encrypt",
"targeting",
"tsara brashears",
"otx",
"alienvault",
"memcommit",
"regsz",
"regopenkeyexw",
"english",
"module load",
"t1129",
"t1082",
"windows module",
"dlls",
"redline stealer",
"updater",
"v3 serial",
"number",
"subject public",
"key info",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"data redacted",
"cloudflare",
"redacted",
"for privacy",
"code",
"server",
"registrar abuse",
"redacted for",
"postal code",
"registrant name",
"red team",
"shit",
"logistics",
"cyber defense",
"gootloader",
"march",
"sinkhole",
"just",
"ramnit",
"netsupport rat",
"microsoft",
"vault",
"karen",
"gifts",
"hidden privacy",
"threats",
"malicious",
"darkgate",
"core",
"hacktool",
"emotet"
],
"references": [
"https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.",
"https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026",
"https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355",
"https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz",
"Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz",
"CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45",
"https://otx.alienvault.com/indicator/domain/bunny.net",
"https://otx.alienvault.com/indicator/ip/210.211.117.205",
"https://otx.alienvault.com/indicator/ip/143.244.50.212",
"https://otx.alienvault.com/indicator/ip/125.235.4.59",
"AV Detection: ELF:Mirai-GH\\ [Trj]",
"IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST",
"IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)",
"IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...",
"Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout",
"Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz",
"https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0",
"cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique",
"Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen",
"Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen",
"Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems",
"Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)",
"Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"wallpapers-nature.com",
"Was anyone else notified? I'm not sure why I was.",
"Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.",
"CS Sigma: Matches rule Python Initiated Connection by frack113"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Unix.Trojan.Mirai-9441505-0",
"display_name": "Unix.Trojan.Mirai-9441505-0",
"target": null
},
{
"id": "ALF:E5.SpikeAex.rhh_mcv",
"display_name": "ALF:E5.SpikeAex.rhh_mcv",
"target": null
},
{
"id": "Win.Dropper.Bulz-9910065-0",
"display_name": "Win.Dropper.Bulz-9910065-0",
"target": null
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Win.Dropper.Autoit-6688751-0",
"display_name": "Win.Dropper.Autoit-6688751-0",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "Win.Dropper.Dridex-9986041-0",
"display_name": "Win.Dropper.Dridex-9986041-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Zombie",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie",
"target": null
},
{
"id": "Win.Packer.pkr_ce1a-9980177-0",
"display_name": "Win.Packer.pkr_ce1a-9980177-0",
"target": null
},
{
"id": "Worm:Win32/Sfone.A",
"display_name": "Worm:Win32/Sfone.A",
"target": "/malware/Worm:Win32/Sfone.A"
},
{
"id": "Worm:Win32/Sfone",
"display_name": "Worm:Win32/Sfone",
"target": "/malware/Worm:Win32/Sfone"
},
{
"id": "Win.Malware.Bbabdcdc-7358312-0",
"display_name": "Win.Malware.Bbabdcdc-7358312-0",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "trojan.mirai/fszhh",
"display_name": "trojan.mirai/fszhh",
"target": null
},
{
"id": "DDOS:Linux/Mirai",
"display_name": "DDOS:Linux/Mirai",
"target": "/malware/DDOS:Linux/Mirai"
},
{
"id": "ANDROID/AVE.Mirai.fszhh",
"display_name": "ANDROID/AVE.Mirai.fszhh",
"target": null
},
{
"id": "Flyagent L",
"display_name": "Flyagent L",
"target": null
},
{
"id": "Win-Trojan/Malpacked5.Gen",
"display_name": "Win-Trojan/Malpacked5.Gen",
"target": null
},
{
"id": "Atros3.LDJ",
"display_name": "Atros3.LDJ",
"target": null
},
{
"id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted",
"display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted",
"target": null
},
{
"id": "TrojanSpy:Win32/Gucotut.A",
"display_name": "TrojanSpy:Win32/Gucotut.A",
"target": "/malware/TrojanSpy:Win32/Gucotut.A"
},
{
"id": "W32/Pidgeon-A",
"display_name": "W32/Pidgeon-A",
"target": null
},
{
"id": "Variant.Zusy.151902",
"display_name": "Variant.Zusy.151902",
"target": null
},
{
"id": "trojan.mirai/fedr",
"display_name": "trojan.mirai/fedr",
"target": null
},
{
"id": "Win.Malware.Trojanx-9862538-0",
"display_name": "Win.Malware.Trojanx-9862538-0",
"target": null
},
{
"id": "Win32:PWSX-gen\\ [Trj]",
"display_name": "Win32:PWSX-gen\\ [Trj]",
"target": null
},
{
"id": "virus.ramnit/nimnul",
"display_name": "virus.ramnit/nimnul",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 51,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 351,
"FileHash-SHA1": 349,
"FileHash-SHA256": 3715,
"domain": 3326,
"hostname": 5200,
"URL": 13151,
"email": 9,
"CVE": 7,
"CIDR": 2
},
"indicator_count": 26110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 243,
"modified_text": "640 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570913a03b8f1cdc6abe32e",
"name": "btloader.com - yep clean as a babies bum",
"description": "",
"modified": "2023-12-06T15:20:26.615000",
"created": "2023-12-06T15:20:26.615000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 546,
"domain": 162,
"URL": 1042,
"hostname": 282,
"FileHash-MD5": 251,
"FileHash-SHA1": 224
},
"indicator_count": 2507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090fe5e8c659c7e5cb094",
"name": "http://e.ca/?e.ca=!1:f.stopPropagation - is there no end to this shit RU/CN/UA/GB/ net sh",
"description": "",
"modified": "2023-12-06T15:19:26.152000",
"created": "2023-12-06T15:19:26.152000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1091,
"hostname": 702,
"URL": 1728,
"domain": 279,
"CVE": 2,
"FileHash-MD5": 50,
"FileHash-SHA1": 46
},
"indicator_count": 3898,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090e5dc9b2e91369b6c56",
"name": "bunch of KR muck",
"description": "",
"modified": "2023-12-06T15:19:01.428000",
"created": "2023-12-06T15:19:01.428000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 632,
"hostname": 227,
"domain": 101,
"URL": 496
},
"indicator_count": 1456,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657090132deb7fd89b09d555",
"name": "a whole bunch of hell effected by the recent mozilla/firefox vulns",
"description": "",
"modified": "2023-12-06T15:15:31.177000",
"created": "2023-12-06T15:15:31.177000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 825,
"domain": 308,
"URL": 2036,
"FileHash-SHA256": 2141
},
"indicator_count": 5310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708fdef7d4b5483117bb67",
"name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances",
"description": "",
"modified": "2023-12-06T15:14:38.824000",
"created": "2023-12-06T15:14:38.824000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 812,
"domain": 110,
"hostname": 502,
"URL": 1437
},
"indicator_count": 2861,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708e0601ea9f27bdebdf4b",
"name": "Merry Christmas RUs Chasers",
"description": "",
"modified": "2023-12-06T15:06:45.654000",
"created": "2023-12-06T15:06:45.654000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1727,
"CVE": 1,
"domain": 1477,
"URL": 4663,
"hostname": 1110
},
"indicator_count": 8978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708d3fec7eeee20ce02403",
"name": "www.access.service.gov.uk - http mal apple .crl fake godaddy asn and execution via chronme log file - total carnage",
"description": "",
"modified": "2023-12-06T15:03:27.390000",
"created": "2023-12-06T15:03:27.390000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"FileHash-SHA256": 1374,
"hostname": 792,
"domain": 517,
"URL": 1529,
"FileHash-MD5": 81,
"FileHash-SHA1": 71
},
"indicator_count": 4366,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708cf911f044ba6f739580",
"name": "Infections start here 91.195.240.226-as47846- SEDO-DE - aid www.bbb.org",
"description": "",
"modified": "2023-12-06T15:02:16.933000",
"created": "2023-12-06T15:02:16.933000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 610,
"URL": 1279,
"email": 2,
"hostname": 375,
"domain": 172,
"FileHash-MD5": 99,
"FileHash-SHA1": 81,
"CVE": 1
},
"indicator_count": 2619,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c4f41727d49d783b766",
"name": "RU KR .fill your boots -jaon file from vt graph 194.105.148.87",
"description": "",
"modified": "2023-12-06T14:59:27.563000",
"created": "2023-12-06T14:59:27.563000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 858,
"hostname": 589,
"URL": 2061,
"domain": 301
},
"indicator_count": 3809,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://cdpapi.slurrp.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://cdpapi.slurrp.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776630443.3391542
}