{ "type": "URL", "indicator": "https://one.one.one.one/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://one.one.one.one/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2201525320, "indicator": "https://one.one.one.one/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69b283a733a36fe75a38bb9c", "name": "The Gatby Script Loader", "description": "Im still hooked on the Belasco Chain being a thing.", "modified": "2026-05-30T00:28:12.957000", "created": "2026-03-12T09:13:11.392000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 227, "FileHash-MD5": 24, "FileHash-SHA1": 14, "domain": 64, "URL": 42, "hostname": 58, "CVE": 6, "JA3": 1 }, "indicator_count": 436, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "smlpp.monster", "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "Cloudflare | 1.1.1.1 -WarpPlus/****", "Yara Detections is__elf , LZMA", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "Tulach- 114.114.114.114", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/danabot", "Elf:mirai-gh\\ [trj]", "Nids", "Mirai" ], "industries": [ "Telecommunications", "Civilian society", "Technology" ], "unique_indicators": 5920 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/one.one", "whois": "http://whois.domaintools.com/one.one", "domain": "one.one", "hostname": "one.one.one.one" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69b283a733a36fe75a38bb9c", "name": "The Gatby Script Loader", "description": "Im still hooked on the Belasco Chain being a thing.", "modified": "2026-05-30T00:28:12.957000", "created": "2026-03-12T09:13:11.392000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 227, "FileHash-MD5": 24, "FileHash-SHA1": 14, "domain": 64, "URL": 42, "hostname": 58, "CVE": 6, "JA3": 1 }, "indicator_count": 436, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6926228c245602830fd82fe5", "name": "hxxps://www[.]cloudflare[.]com/5xx-error-landing - 11.25.25", "description": "Cloudflare Abuse", "modified": "2025-12-25T21:00:52.783000", "created": "2025-11-25T21:41:32.156000", "tags": [ "sandbox", "static analyzer", "emulation", "analyzer", "url", "scanner", "reputation", "phishing", "malware", "cloudflare", "warning icon", "share report", "domain", "systems", "host", "amazon web", "services", "varnish", "onetrust", "error", "bunny", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "online", "submit", "sample", "download", "platform", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "runtime data", "file string", "dumps", "varchar", "null", "integer default", "localappdata", "integer not", "license", "path", "date", "facebook", "close", "roboto", "meta", "title", "span", "body", "blink", "win64", "contact", "mexico", "protect", "enterprise", "project", "suspicious", "hybrid", "mendoza", "mini", "code", "galileo", "4629", "false", "media", "critical", "fast", "stream", "cloud", "click", "hosts", "dorv", "lion", "cascade", "august", "general", "strings", "malicious" ], "references": [ "https://app.threat.zone/submission/5b29d473-2767-440f-8f03-12e48c58fd29/url-analysis-report", "https://urlquery.net/report/4eec9c27-98f9-4826-96ee-3e02a77c3646", "https://www.filescan.io/uploads/69261defaf4aba3912d48f77/reports/ad684d0b-2509-498d-8ab4-3c67a075029f/ioc", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582", "https://www.virustotal.com/gui/url/72220e2a2e1b36610c2efcd3585aa08ba8021ad13891821e47bbfd1f26709128/details", "https://hybrid-analysis.com/sample/fa4f8265e8be5eb4d59ced85c040c15fadf017ce9ae2ffe4869da356ec184582/64ddb54ab6da189fe1047708" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 520, "FileHash-MD5": 136, "FileHash-SHA1": 82, "domain": 120, "hostname": 275, "FileHash-SHA256": 136, "email": 12 }, "indicator_count": 1281, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01dc0fd31b731b2d5dac7", "name": "Cloudflade Botnet \u00bb | 1.1.1.1 | Warp.Plus? | smlpp.monster | Mirai", "description": "This issue may only affect those already in Botnet/s. DoS.Bad login requests .dead host, CnC,\nELF:Mirai-GH\\ [Trj] ,\nMirai ,\nNIDS m\nTrojan:Win32/Danabot", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:21:52.428000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e01e7b6a0bc2abe0d6c0d1", "name": "Cloudflare Botnet- https://otx.alienvault.com/pulse/66e01dc0fd31b731b2d5dac7", "description": "", "modified": "2024-10-10T10:03:15.339000", "created": "2024-09-10T10:24:59.035000", "tags": [ "ip block", "list", "historical ssl", "iocs", "apt ip", "address list", "nukespeed", "bot networks", "listen", "tracker", "powershell", "http response", "final url", "ip address", "status code", "kb body", "sha256", "gmt server", "united", "passive dns", "as54113", "arial", "dynamic link", "msg div", "all scoreblue", "south korea", "china as4134", "china as4837", "as4766 korea", "as9318 sk", "taiwan as3462", "high", "nids", "tcp syn", "resolverror", "malware", "next", "certificate", "encrypt", "title invalid", "a domains", "files", "ip related", "pulses otx", "as21928", "china as9394", "asnone", "as701 verizon", "china asnone", "port", "destination", "south africa", "tunisia as37693", "nigeria asnone", "tunisia asnone", "kenya as36926", "egypt as36992", "as14061", "aaaa", "moved", "search", "body", "114.114.114.114", "tulach", "telnet", "firebase app", "telnet login", "bad login", "gpl telnet", "telnet root", "hisilicon dvr", "hong kong", "activity", "copy", "suspicious path", "fbotsatori", "yara detections", "contacted", "cname", "urls", "creation date", "otx telemetry", "record value", "date", "unknown", "as51468", "denmark unknown", "scan endpoints", "pulse pulses", "dcbg", "status", "hostname", "taiwan", "as3462", "showing", "as17421", "entries", "win32", "busybox" ], "references": [ "Cloudflare | 1.1.1.1 -WarpPlus/****", "smlpp.monster", "IDS Detections: Fbot/Satori CnC Checkin SUSPICIOUS Path to BusyBox Bad Login root logbusyboxin", "Alerts: dead_host nids_malware_alert network_icmp tcp_syn_scan nolookup_communication nids_alert writes_to_stdout", "Yara Detections is__elf , LZMA", "Tulach- 114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Korea, Republic of", "Japan", "Hong Kong", "Philippines", "Taiwan", "Indonesia", "Australia", "France", "South Africa", "United States of America", "Italy" ], "malware_families": [ { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Danabot", "display_name": "Trojan:Win32/Danabot", "target": "/malware/Trojan:Win32/Danabot" } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66e01dc0fd31b731b2d5dac7", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 144, "FileHash-SHA256": 863, "domain": 640, "hostname": 740, "URL": 1117, "email": 3, "CVE": 1 }, "indicator_count": 3652, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://one.one.one.one/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://one.one.one.one/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780248681.313728 }