{ "type": "URL", "indicator": "https://mail.newvistatelecom.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mail.newvistatelecom.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3468869273, "indicator": "https://mail.newvistatelecom.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657095a7912f63c2e41cda22", "name": "trifega.com - your welcome - my god two years ago i left specific details with sussex and surrey cybercrime team -", "description": "", "modified": "2023-12-06T15:39:18.737000", "created": "2023-12-06T15:39:18.737000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 745, "FileHash-SHA256": 1097, "FileHash-MD5": 6, "FileHash-SHA1": 6, "URL": 2764, "hostname": 1468 }, "indicator_count": 6086, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a8fc8d21e342461e0c53e5", "name": "trifega.com - your welcome - my god two years ago i left specific details with sussex and surrey cybercrime team -", "description": "2016 getsetpet.co.uk\ncentraserve.com /ltd purchased above domain after stealing frm my 1and1hosting acc transfering to google abusing it until july 2018 when it expired from my registration. Immediately purchased by Sebastian Clark director of centraserve ltd in essex uk. After this discovery it was moved to Trifega Ltd in the lsle of Whight for sale for \u00a3350 on trifega.com", "modified": "2023-01-25T01:02:11.128000", "created": "2022-12-26T01:44:45.883000", "tags": [ "https://www.virustotal.com/gui/collection/54321340057709266cb812" ], "references": [ "https://www.virustotal.com/graph/g87dbd51d317a43c59906ba09ca34598223bb3f1be82a45b48f8d4dd88bf28d92", "https://www.virustotal.com/gui/collection/54321340057709266cb812de770a121defeb7c8bb2fdf96fbdaab06213029c96" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2764, "hostname": 1468, "FileHash-SHA256": 1097, "domain": 745, "FileHash-MD5": 6, "FileHash-SHA1": 6 }, "indicator_count": 6086, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629f32000e99da994ecb5f62", "name": "80880.bodis - passive DNS = CNAME bug cookie priv escalation 450 records = n. sh", "description": "ioc's from all passive dns records potentially using CNAME record cookie priv escalation bug to abuse and break analytics with user agent.\nmass of 404 connection errors invoked to hijack/redir traffic to top level immitation sites running on massive nubotnet", "modified": "2022-07-07T00:01:42.558000", "created": "2022-06-07T11:09:52.102000", "tags": [ "n. sh", "CNAME cookie priv escalation", "CVE-2021-22941", "ww1", "neural", "nubotnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 370, "hostname": 1775, "URL": 2331, "domain": 453 }, "indicator_count": 4929, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/g87dbd51d317a43c59906ba09ca34598223bb3f1be82a45b48f8d4dd88bf28d92", "https://www.virustotal.com/gui/collection/54321340057709266cb812de770a121defeb7c8bb2fdf96fbdaab06213029c96" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:cert:bandoo", "Trojanx", "Suppobox", "Azorult", "Matsnu", "Pony", "Sality", "Redline stealer", "Zeus", "Unruy", "Virut", "Betabot", "Vawtrak", "Mediamagnet", "Simda", "Zbot", "Iobit", "Ramnit", "Tofsee", "Adaptivebee", "Kraken", "Artemis", "Swrort", "Installcore", "Nymaim" ], "industries": [], "unique_indicators": 22566 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/newvistatelecom.com", "whois": "http://whois.domaintools.com/newvistatelecom.com", "domain": "newvistatelecom.com", "hostname": "mail.newvistatelecom.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "655e3de9eb518e46e96e9fd4", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:09.675000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655e3debccfb06fb9580b69d", "name": "RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "tx-p2p-pull.video-voip.com.dorm.com", "modified": "2023-12-22T15:02:57.858000", "created": "2023-11-22T17:44:11.982000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a947431aca6a0666c11b4", "name": " RedlineStealer | tx-p2p-pull.video-voip.com.dorm.com", "description": "", "modified": "2023-12-22T15:02:57.858000", "created": "2023-12-02T02:20:36.922000", "tags": [ "ssl certificate", "execution", "historical ssl", "dropped", "whois record", "whois", "referrer", "contacted", "best", "sites", "emotet", "team", "cyber threat", "united", "engineering", "malware", "hostname", "malicious site", "heur", "phishing", "phishing site", "suppobox", "facebook", "zbot", "malicious", "download", "redline stealer", "simda", "bank", "virut", "tofsee", "vawtrak", "hotmail", "steam", "nymaim", "zeus", "installcore", "ransomware", "ramnit", "union", "kraken", "pony", "betabot", "unruy", "bandoo", "matsnu", "detection list", "blacklist", "noname057", "stop", "pattern match", "root ca", "done adding", "catalog file", "authority", "class", "ascii text", "mitre att", "ck id", "show technique", "date", "unknown", "meta", "generator", "critical", "error", "body", "hybrid", "accept", "local", "click", "strings", "cisco umbrella", "site", "safe site", "html", "million", "alexa top", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "iobit", "dropper", "trojanx", "artemis", "riskware", "webshell", "exploit", "crack", "azorult", "service", "runescape", "ip address", "mail spammer", "attacker", "et cins", "active threat", "reputation ip", "threats et", "dns replication", "graph summary", "domain status", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TrojanX", "display_name": "TrojanX", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "MediaMagnet", "display_name": "MediaMagnet", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "IObit", "display_name": "IObit", "target": null }, { "id": "ALF:Cert:Bandoo", "display_name": "ALF:Cert:Bandoo", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "AdaptiveBee", "display_name": "AdaptiveBee", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "Swrort", "display_name": "Swrort", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655e3debccfb06fb9580b69d", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 72, "FileHash-SHA256": 2087, "URL": 6558, "domain": 1279, "hostname": 2371, "CVE": 14, "email": 1 }, "indicator_count": 12483, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657095a7912f63c2e41cda22", "name": "trifega.com - your welcome - my god two years ago i left specific details with sussex and surrey cybercrime team -", "description": "", "modified": "2023-12-06T15:39:18.737000", "created": "2023-12-06T15:39:18.737000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 745, "FileHash-SHA256": 1097, "FileHash-MD5": 6, "FileHash-SHA1": 6, "URL": 2764, "hostname": 1468 }, "indicator_count": 6086, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a8fc8d21e342461e0c53e5", "name": "trifega.com - your welcome - my god two years ago i left specific details with sussex and surrey cybercrime team -", "description": "2016 getsetpet.co.uk\ncentraserve.com /ltd purchased above domain after stealing frm my 1and1hosting acc transfering to google abusing it until july 2018 when it expired from my registration. Immediately purchased by Sebastian Clark director of centraserve ltd in essex uk. After this discovery it was moved to Trifega Ltd in the lsle of Whight for sale for \u00a3350 on trifega.com", "modified": "2023-01-25T01:02:11.128000", "created": "2022-12-26T01:44:45.883000", "tags": [ "https://www.virustotal.com/gui/collection/54321340057709266cb812" ], "references": [ "https://www.virustotal.com/graph/g87dbd51d317a43c59906ba09ca34598223bb3f1be82a45b48f8d4dd88bf28d92", "https://www.virustotal.com/gui/collection/54321340057709266cb812de770a121defeb7c8bb2fdf96fbdaab06213029c96" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2764, "hostname": 1468, "FileHash-SHA256": 1097, "domain": 745, "FileHash-MD5": 6, "FileHash-SHA1": 6 }, "indicator_count": 6086, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "629f32000e99da994ecb5f62", "name": "80880.bodis - passive DNS = CNAME bug cookie priv escalation 450 records = n. sh", "description": "ioc's from all passive dns records potentially using CNAME record cookie priv escalation bug to abuse and break analytics with user agent.\nmass of 404 connection errors invoked to hijack/redir traffic to top level immitation sites running on massive nubotnet", "modified": "2022-07-07T00:01:42.558000", "created": "2022-06-07T11:09:52.102000", "tags": [ "n. sh", "CNAME cookie priv escalation", "CVE-2021-22941", "ww1", "neural", "nubotnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 370, "hostname": 1775, "URL": 2331, "domain": 453 }, "indicator_count": 4929, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1425 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mail.newvistatelecom.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mail.newvistatelecom.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780337135.1634486 }