{ "type": "URL", "indicator": "https://mh1.anbaa-10.online/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mh1.anbaa-10.online/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3966739876, "indicator": "https://mh1.anbaa-10.online/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/mydoom.o!backdoor", "Virus:win32/sality.at", "Worm:win32/bloored.e", "Trojanspy:win32/invader.s!msr", "Et", "Gandcrab", "Trojanspy:win32/nivdort.aj", "Win32:kukacka" ], "industries": [ "Telecommunications" ], "unique_indicators": 4359 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/anbaa-10.online", "whois": "http://whois.domaintools.com/anbaa-10.online", "domain": "anbaa-10.online", "hostname": "mh1.anbaa-10.online" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "66e00320d65236e032faa26a", "name": "Global- Injection | Phone service modification campaign - Cryprsoft", "description": "Malicious\u00bb http://www.forensickb.com/2013/03/file-entropy-explained.html | Cryptsoft | ET ,\nVirus:Win32/Sality.AT ,\nWin32:Kukacka , TrojanSpy:Win32/Nivdort.AJ , Worm:Win32/Mydoom.O!backdoor , \nWorm:Win32/Bloored , TrojanSpy:Win32/Invader.S!MSR , \nText: Mydoom spreading via SMTP 29 192.168.56.110 198.133.159.125 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 52.28.249.128 2018340 ET TROJAN Win32.Sality-GR Checkin 192.168.56.110 166.78.145.90 2016803 ET TROJAN Known Sinkhole Response Header 166.78.145.90 192.168.56.110 2018\nATT&CK | Query Registry , Modify Existing Service , Scheduled Task/Job , Process Injection , Registry Run Keys / Startup Folder , System Information Discovery , Disabling Security Tools , Modify Registry", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:28:16.120000", "tags": [ "amazonaws", "employment scam", "pe resource", "united", "as15169 google", "aaaa", "unknown", "search", "as44273 host", "passive dns", "all scoreblue", "worm", "files", "error", "code", "emails", "ireland", "poland", "high", "yara detections", "virus", "msvisualcpp2003", "high process", "injection t1055", "t1055", "icmp traffic", "pe file", "service", "win32", "copy", "tools", "cryptsoft", "nxdomain", "a br", "key management", "meta", "open", "twitter", "a domains", "cryptsoft src", "meet cryptsoft", "products a", "authority", "record value", "contact", "metro", "log id", "gmtn", "go daddy", "tls web", "arizona", "scottsdale", "ca issuers", "false", "windows nt", "msie", "read c", "ms windows", "intel", "et trojan", "pe32", "zip archive", "write", "possible", "malware", "beethoven", "et", "body", "scan endpoints", "category", "file samples", "files matching", "date hash", "phishing", "show", "t1045", "nrv2x", "lzma", "laszlo molnar", "john reiser", "antivirus", "xp sp2", "sp2 working", "alerts", "contacted", "0pgtwhu", "filehash", "february", "crack.zip", "as396982 google", "urls", "domain", "hostname", "next", "belgium unknown", "status", "name servers", "creation date", "date", "servers", "entries", "trojan", "ipv4", "pulse pulses", "ransom", "gandcrab", "active", "parking crews" ], "references": [ "Researched: http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "www.crackedmindstechnologies.com", "IDS Detections: Tempedreve Checkin Hiloti Style GET to PHP with invalid terse MSIE headers W32/Bayrob Attempted Checkin 2", "Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup) Worm.Mydoom Checkin", "IDS Detections: User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "IDS Detections: Worm.Mydoom Checkin User-Agent (explwer) Hiloti/Mufanom Downloader Checkin Win32/Unruy.R Checkin", "IDS Detections: Ransom.Win32.Birele.gsg Checkin Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)", "relay.cryptsoft.com | smtp.cryptsoft.com\t| ghs.google.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Romania", "Netherlands", "Poland", "Belgium", "Germany", "Spain", "Italy", "Czechia", "Austria", "Bulgaria", "Canada", "United Arab Emirates" ], "malware_families": [ { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32:Kukacka", "display_name": "Win32:Kukacka", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Worm:Win32/Mydoom.O!backdoor", "display_name": "Worm:Win32/Mydoom.O!backdoor", "target": "/malware/Worm:Win32/Mydoom.O!backdoor" }, { "id": "Worm:Win32/Bloored.E", "display_name": "Worm:Win32/Bloored.E", "target": "/malware/Worm:Win32/Bloored.E" }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.AJ", "display_name": "TrojanSpy:Win32/Nivdort.AJ", "target": "/malware/TrojanSpy:Win32/Nivdort.AJ" }, { "id": "TrojanSpy:Win32/Invader.S!MSR", "display_name": "TrojanSpy:Win32/Invader.S!MSR", "target": "/malware/TrojanSpy:Win32/Invader.S!MSR" } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 220, "FileHash-MD5": 626, "FileHash-SHA1": 539, "FileHash-SHA256": 1335, "domain": 501, "hostname": 617, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 3844, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "600 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mh1.anbaa-10.online/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mh1.anbaa-10.online/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780412019.3937547 }