{ "type": "URL", "indicator": "https://pastebin.com/raw/zw0gAmpC", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pastebin.com/raw/zw0gAmpC", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #7443", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain pastebin.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain pastebin.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3824459350, "indicator": "https://pastebin.com/raw/zw0gAmpC", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6753914772db45d10cac9064", "name": "URLHaus data - 06-12-2024", "description": "", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-07T00:05:27.047000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "SocGholish", "sh", "ua-wget", "ddos", "ascii", "rat", "opendir", "AgentTesla", "exe", "xml-opendir", "fake alert pdf", "Amos", "dmg", "macOS", "redir-302", "us-safari", "ua-safari", "AsyncRAT", "lnk", "PythonStealer", "LummaStealer", "dcrat", "Neshta", "Ahmyth", "apk", "c2", "L3mon", "Manager", "gafgyt", "ConnectBack", "CoinMiner", "pyinstaller", "BillGates", "emotet", "heodo", "tedy", "shellscript", "Braodo", "jjjdnmaaf", "stealer", "malxmr", "rekoobe", "Vidar", "Formbook", "mimikatz", "Stealc", "MeduzaStealer", "Amadey", "meterpreter", "Socks5Systemz", "Loki", "Metasploit", "lokibot", "hajime", "PureLogStealer", "donutloader", "Mellat.apk", "meduza", "njRAT", "rev-base64-loader", "trojan", "invokerbot", "powershell", "pyspy", "monero", "turtleloader", "kmsactivator", "Valyria", "php", "webshell", "backdoor", "shellbot", "discordrat", "htaloader", "bitbucket", "remcos", "paste.ee", "Encoded", "base64-loader", "VenomRAT", "discordapp", "lunastealer", "BlankGrabber", "BABADEDA", "BankMellat", "geo", "GossRAT", "IRATA", "IRN", "pw-1", "zip", "smsspy", "boxter", "alfa-team", "ps", "cloudflare", "reverseshell", "base64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 18, "domain": 17 }, "indicator_count": 1035, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7a4509c2d359bb8638258", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware | CISA", "description": "The FBI and CISA have issued a joint cybersecurity advisory, warning about the threat posed by malware known as Androxgh0st, which can compromise networks and attack critical infrastructure around the world.", "modified": "2024-02-16T09:00:06.040000", "created": "2024-01-17T09:56:32.097000", "tags": [ "cisa", "mitre att", "androxgh0st", "technique title", "smtp", "php code", "post request", "id use", "cpgs", "nist", "apache", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Androxgh0st", "display_name": "Androxgh0st", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "hostname": 4, "CVE": 3, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 8, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a78672cf81a1fb0544e7c6", "name": "LockBitz | Androxgh0st associated FBI & CISA known IoC's", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.\n[Cite: jim.reprogle]", "modified": "2024-02-16T07:02:37.873000", "created": "2024-01-17T07:49:06.820000", "tags": [ "filehashsha1", "filehashmd5", "filehashsha256", "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "androxgh0st", "python", "execution", "persistence", "simplehashvalue", "cybox", "fileobj", "stix", "attackpatterns", "indicator", "cyboxcommon", "behavior", "hash", "title", "whois record", "contacted", "ssl certificate", "contacted urls", "referrer", "threat roundup", "august", "march", "known", "lockbit", "malware", "core" ], "references": [ "https://mc.rockylinux.si/seoforce/triggers/files/evil.txt [malware_hosting]", "mc.rockylinux.si [malware_hosting]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AndroxGh0st", "display_name": "AndroxGh0st", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 69, "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 236, "domain": 23 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7867407682ea01c4ff89e", "name": "LockBitz | Androxgh0st associated FBI & CISA known IoC's", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.\n[Cite: jim.reprogle]", "modified": "2024-02-16T07:02:37.873000", "created": "2024-01-17T07:49:08.662000", "tags": [ "filehashsha1", "filehashmd5", "filehashsha256", "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "androxgh0st", "python", "execution", "persistence", "simplehashvalue", "cybox", "fileobj", "stix", "attackpatterns", "indicator", "cyboxcommon", "behavior", "hash", "title", "whois record", "contacted", "ssl certificate", "contacted urls", "referrer", "threat roundup", "august", "march", "known", "lockbit", "malware", "core" ], "references": [ "https://mc.rockylinux.si/seoforce/triggers/files/evil.txt [malware_hosting]", "mc.rockylinux.si [malware_hosting]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AndroxGh0st", "display_name": "AndroxGh0st", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 69, "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 236, "domain": 23 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a707db0203058ee4eb9bc4", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.", "modified": "2024-02-15T22:03:50.387000", "created": "2024-01-16T22:48:59.709000", "tags": [ "cyboxcommon", "stix", "indicator", "title", "hash", "behavior", "attackpatterns", "fileobj", "simplehashvalue", "cybox", "persistence", "execution", "python", "androxgh0st" ], "references": [], "public": 1, "adversary": "Androxgh0st", "targeted_countries": [], "malware_families": [ { "id": "Androxgh0st", "display_name": "Androxgh0st", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jim.reprogle", "id": "98953", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_98953/resized/80/avatar_ad7bc863ac.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "hostname": 3, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a75418b374c4bc7e9675b3", "name": "Androxgh0st \uc545\uc131\ucf54\ub4dc\uc640 \uad00\ub828\ub41c \uc54c\ub824\uc9c4 \uc190\uc0c1 \uc9c0\ud45c", "description": "", "modified": "2024-01-17T04:14:16.630000", "created": "2024-01-17T04:14:16.630000", "tags": [ "OSINT", "Androxgh0st", "Botnet", "T1595.002 - Active Scanning: Vulnerability Scanning", "T1583.005 - Acquire Infrastructure: Botnet", "T1583.006 - Acquire Infrastructure: Web Services", "T1190 - Exploit Public-Facing Application", "T1059.006 - Command and Scripting Interpreter: Python", "T1078 - Valid Accounts", "T1505.003 - Server Software Component: Web Shell", "T1136 - Create Account", "T1027.010 - Obfuscated Files or Information: Command Obfuscation", "T1552.001 - Unsecured Credentials: Credentials in Files", "T1114 - Email Collection", "T1105 - Ingress Tool Transfer" ], "references": [ "https://community.riskiq.com/article/f522385a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65a71b49085ae12d6196f65d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaehwanjoa7767fhfghgfhfd", "id": "268006", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a71b49085ae12d6196f65d", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware", "description": "", "modified": "2024-01-17T00:11:53.559000", "created": "2024-01-17T00:11:53.559000", "tags": [ "OSINT", "Androxgh0st", "Botnet", "T1595.002 - Active Scanning: Vulnerability Scanning", "T1583.005 - Acquire Infrastructure: Botnet", "T1583.006 - Acquire Infrastructure: Web Services", "T1190 - Exploit Public-Facing Application", "T1059.006 - Command and Scripting Interpreter: Python", "T1078 - Valid Accounts", "T1505.003 - Server Software Component: Web Shell", "T1136 - Create Account", "T1027.010 - Obfuscated Files or Information: Command Obfuscation", "T1552.001 - Unsecured Credentials: Credentials in Files", "T1114 - Email Collection", "T1105 - Ingress Tool Transfer" ], "references": [ "https://community.riskiq.com/article/f522385a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/f522385a", "https://mc.rockylinux.si/seoforce/triggers/files/evil.txt [malware_hosting]", "mc.rockylinux.si [malware_hosting]", "https://urlhaus.abuse.ch/browse/", "https://urlhaus.abuse.ch/downloads/csv_recent/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Androxgh0st" ], "malware_families": [ "Lockbit", "Threat", "Androxgh0st" ], "industries": [], "unique_indicators": 313767 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pastebin.com", "whois": "http://whois.domaintools.com/pastebin.com", "domain": "pastebin.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6753914772db45d10cac9064", "name": "URLHaus data - 06-12-2024", "description": "", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-07T00:05:27.047000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "SocGholish", "sh", "ua-wget", "ddos", "ascii", "rat", "opendir", "AgentTesla", "exe", "xml-opendir", "fake alert pdf", "Amos", "dmg", "macOS", "redir-302", "us-safari", "ua-safari", "AsyncRAT", "lnk", "PythonStealer", "LummaStealer", "dcrat", "Neshta", "Ahmyth", "apk", "c2", "L3mon", "Manager", "gafgyt", "ConnectBack", "CoinMiner", "pyinstaller", "BillGates", "emotet", "heodo", "tedy", "shellscript", "Braodo", "jjjdnmaaf", "stealer", "malxmr", "rekoobe", "Vidar", "Formbook", "mimikatz", "Stealc", "MeduzaStealer", "Amadey", "meterpreter", "Socks5Systemz", "Loki", "Metasploit", "lokibot", "hajime", "PureLogStealer", "donutloader", "Mellat.apk", "meduza", "njRAT", "rev-base64-loader", "trojan", "invokerbot", "powershell", "pyspy", "monero", "turtleloader", "kmsactivator", "Valyria", "php", "webshell", "backdoor", "shellbot", "discordrat", "htaloader", "bitbucket", "remcos", "paste.ee", "Encoded", "base64-loader", "VenomRAT", "discordapp", "lunastealer", "BlankGrabber", "BABADEDA", "BankMellat", "geo", "GossRAT", "IRATA", "IRN", "pw-1", "zip", "smsspy", "boxter", "alfa-team", "ps", "cloudflare", "reverseshell", "base64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 80, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 18, "domain": 17 }, "indicator_count": 1035, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7a4509c2d359bb8638258", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware | CISA", "description": "The FBI and CISA have issued a joint cybersecurity advisory, warning about the threat posed by malware known as Androxgh0st, which can compromise networks and attack critical infrastructure around the world.", "modified": "2024-02-16T09:00:06.040000", "created": "2024-01-17T09:56:32.097000", "tags": [ "cisa", "mitre att", "androxgh0st", "technique title", "smtp", "php code", "post request", "id use", "cpgs", "nist", "apache", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Androxgh0st", "display_name": "Androxgh0st", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "hostname": 4, "CVE": 3, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 8, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a78672cf81a1fb0544e7c6", "name": "LockBitz | Androxgh0st associated FBI & CISA known IoC's", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.\n[Cite: jim.reprogle]", "modified": "2024-02-16T07:02:37.873000", "created": "2024-01-17T07:49:06.820000", "tags": [ "filehashsha1", "filehashmd5", "filehashsha256", "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "androxgh0st", "python", "execution", "persistence", "simplehashvalue", "cybox", "fileobj", "stix", "attackpatterns", "indicator", "cyboxcommon", "behavior", "hash", "title", "whois record", "contacted", "ssl certificate", "contacted urls", "referrer", "threat roundup", "august", "march", "known", "lockbit", "malware", "core" ], "references": [ "https://mc.rockylinux.si/seoforce/triggers/files/evil.txt [malware_hosting]", "mc.rockylinux.si [malware_hosting]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AndroxGh0st", "display_name": "AndroxGh0st", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 69, "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 236, "domain": 23 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a7867407682ea01c4ff89e", "name": "LockBitz | Androxgh0st associated FBI & CISA known IoC's", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.\n[Cite: jim.reprogle]", "modified": "2024-02-16T07:02:37.873000", "created": "2024-01-17T07:49:08.662000", "tags": [ "filehashsha1", "filehashmd5", "filehashsha256", "url http", "url https", "search", "type indicator", "role title", "added active", "related pulses", "androxgh0st", "python", "execution", "persistence", "simplehashvalue", "cybox", "fileobj", "stix", "attackpatterns", "indicator", "cyboxcommon", "behavior", "hash", "title", "whois record", "contacted", "ssl certificate", "contacted urls", "referrer", "threat roundup", "august", "march", "known", "lockbit", "malware", "core" ], "references": [ "https://mc.rockylinux.si/seoforce/triggers/files/evil.txt [malware_hosting]", "mc.rockylinux.si [malware_hosting]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AndroxGh0st", "display_name": "AndroxGh0st", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 69, "FileHash-MD5": 48, "FileHash-SHA1": 46, "FileHash-SHA256": 236, "domain": 23 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "835 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a707db0203058ee4eb9bc4", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware", "description": "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on the Androxgh0st malware\u2019s ability to establish a botnet that can further identify and compromise vulnerable networks. The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.", "modified": "2024-02-15T22:03:50.387000", "created": "2024-01-16T22:48:59.709000", "tags": [ "cyboxcommon", "stix", "indicator", "title", "hash", "behavior", "attackpatterns", "fileobj", "simplehashvalue", "cybox", "persistence", "execution", "python", "androxgh0st" ], "references": [], "public": 1, "adversary": "Androxgh0st", "targeted_countries": [], "malware_families": [ { "id": "Androxgh0st", "display_name": "Androxgh0st", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jim.reprogle", "id": "98953", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_98953/resized/80/avatar_ad7bc863ac.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "hostname": 3, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a75418b374c4bc7e9675b3", "name": "Androxgh0st \uc545\uc131\ucf54\ub4dc\uc640 \uad00\ub828\ub41c \uc54c\ub824\uc9c4 \uc190\uc0c1 \uc9c0\ud45c", "description": "", "modified": "2024-01-17T04:14:16.630000", "created": "2024-01-17T04:14:16.630000", "tags": [ "OSINT", "Androxgh0st", "Botnet", "T1595.002 - Active Scanning: Vulnerability Scanning", "T1583.005 - Acquire Infrastructure: Botnet", "T1583.006 - Acquire Infrastructure: Web Services", "T1190 - Exploit Public-Facing Application", "T1059.006 - Command and Scripting Interpreter: Python", "T1078 - Valid Accounts", "T1505.003 - Server Software Component: Web Shell", "T1136 - Create Account", "T1027.010 - Obfuscated Files or Information: Command Obfuscation", "T1552.001 - Unsecured Credentials: Credentials in Files", "T1114 - Email Collection", "T1105 - Ingress Tool Transfer" ], "references": [ "https://community.riskiq.com/article/f522385a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65a71b49085ae12d6196f65d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaehwanjoa7767fhfghgfhfd", "id": "268006", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a71b49085ae12d6196f65d", "name": "Known Indicators of Compromise Associated with Androxgh0st Malware", "description": "", "modified": "2024-01-17T00:11:53.559000", "created": "2024-01-17T00:11:53.559000", "tags": [ "OSINT", "Androxgh0st", "Botnet", "T1595.002 - Active Scanning: Vulnerability Scanning", "T1583.005 - Acquire Infrastructure: Botnet", "T1583.006 - Acquire Infrastructure: Web Services", "T1190 - Exploit Public-Facing Application", "T1059.006 - Command and Scripting Interpreter: Python", "T1078 - Valid Accounts", "T1505.003 - Server Software Component: Web Shell", "T1136 - Create Account", "T1027.010 - Obfuscated Files or Information: Command Obfuscation", "T1552.001 - Unsecured Credentials: Credentials in Files", "T1114 - Email Collection", "T1105 - Ingress Tool Transfer" ], "references": [ "https://community.riskiq.com/article/f522385a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pastebin.com/raw/zw0gAmpC", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pastebin.com/raw/zw0gAmpC", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "php", "webshell" ], "date_added": "2024-12-06", "last_online": "2024-12-31", "reporter": "abus3reports", "host": "pastebin.com", "payloads": [ { "filename": null, "file_type": "txt", "md5": "fe53c38f61588efd90af97185e315612", "sha256": "ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72", "signature": null, "first_seen": "2024-12-06" } ], "error": null }, "from_cache": true, "_cached_at": 1780266203.703961 }