{ "type": "URL", "indicator": "https://paste.nrecom.net/view/raw/019f27dd", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://paste.nrecom.net/view/raw/019f27dd", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2643530732, "indicator": "https://paste.nrecom.net/view/raw/019f27dd", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "5f7df280cd3c95f0aad5a1fb", "name": "New pastebin-like service used in multiple malware campaigns", "description": "Juniper Threat Labs identified several malware campaigns that rely on a pastebin-like service for its infection chain. The domain in question is paste.nrecom.net. The attacks usually start as a phishing email and, when a user is tricked into executing the malware, it downloads the succeeding stage of the malware from paste.nrecom.net and loads it into the memory without writing to disk.\n\nAlthough using legitimate web services is not novel, this is the first time that we have seen threat actors use paste.nrecom.net. Among the malware we have identified are AgentTesla, LimeRAT, W3Cryptolocker Ransomware, and Redline Stealer.", "modified": "2020-10-07T16:54:09.437000", "created": "2020-10-07T16:53:20.673000", "tags": [ "AgentTesla", "LimeRAT", "Redline Stealer", "W3Cryptolocker Ransomware", "Ave Maria" ], "references": [ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "LimeRAT", "display_name": "LimeRAT", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "W3Cryptolocker Ransomware", "display_name": "W3Cryptolocker Ransomware", "target": null }, { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 83, "URL": 28, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 24 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 377499, "modified_text": "2019 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69479bd1714bb9552aeb3623", "name": "Cyber trails of malicious actor KillNet by skocherhan", "description": "", "modified": "2025-12-21T07:03:45.053000", "created": "2025-12-21T07:03:45.053000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "6758fd5afdfe6960ccda2cca", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6758fd5afdfe6960ccda2cca", "name": "Cyber trails of malicious actor KillNet", "description": "", "modified": "2024-12-11T02:47:54.379000", "created": "2024-12-11T02:47:54.379000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "494 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "https://rdap.arin.net/registry/entity/CLOUD14", "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt", "Potential Python DLL SideLoading.yml", "Python Image Load By Non-Python Process.yml", "indicator_suspicious.yar", "indicator_packed.yar", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Agent tesla - s0331", "Ave maria", "W3cryptolocker ransomware", "Limerat", "Redline stealer" ], "industries": [], "unique_indicators": 160 }, "other": { "adversary": [], "malware_families": [ "Therat" ], "industries": [], "unique_indicators": 58292 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/nrecom.net", "whois": "http://whois.domaintools.com/nrecom.net", "domain": "nrecom.net", "hostname": "paste.nrecom.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "5f7df280cd3c95f0aad5a1fb", "name": "New pastebin-like service used in multiple malware campaigns", "description": "Juniper Threat Labs identified several malware campaigns that rely on a pastebin-like service for its infection chain. The domain in question is paste.nrecom.net. The attacks usually start as a phishing email and, when a user is tricked into executing the malware, it downloads the succeeding stage of the malware from paste.nrecom.net and loads it into the memory without writing to disk.\n\nAlthough using legitimate web services is not novel, this is the first time that we have seen threat actors use paste.nrecom.net. Among the malware we have identified are AgentTesla, LimeRAT, W3Cryptolocker Ransomware, and Redline Stealer.", "modified": "2020-10-07T16:54:09.437000", "created": "2020-10-07T16:53:20.673000", "tags": [ "AgentTesla", "LimeRAT", "Redline Stealer", "W3Cryptolocker Ransomware", "Ave Maria" ], "references": [ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla - S0331", "display_name": "Agent Tesla - S0331", "target": null }, { "id": "LimeRAT", "display_name": "LimeRAT", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "W3Cryptolocker Ransomware", "display_name": "W3Cryptolocker Ransomware", "target": null }, { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 83, "URL": 28, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 24 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 377499, "modified_text": "2019 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69479bd1714bb9552aeb3623", "name": "Cyber trails of malicious actor KillNet by skocherhan", "description": "", "modified": "2025-12-21T07:03:45.053000", "created": "2025-12-21T07:03:45.053000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "6758fd5afdfe6960ccda2cca", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6758fd5afdfe6960ccda2cca", "name": "Cyber trails of malicious actor KillNet", "description": "", "modified": "2024-12-11T02:47:54.379000", "created": "2024-12-11T02:47:54.379000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "494 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://paste.nrecom.net/view/raw/019f27dd", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://paste.nrecom.net/view/raw/019f27dd", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776598814.477796 }