{ "type": "URL", "indicator": "https://root443.line.pm", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://root443.line.pm", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3968789441, "indicator": "https://root443.line.pm", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66ba01cb6ef731c30679908b", "name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney", "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:36:27.020000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2826, "CIDR": 2, "URL": 549, "email": 12, "hostname": 587, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 388, "CVE": 4 }, "indicator_count": 5968, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba036c462091e25e94de49", "name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ", "description": "", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:43:24.286000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": "66ba01cb6ef731c30679908b", "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2786, "CIDR": 2, "URL": 457, "email": 12, "hostname": 535, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 367, "CVE": 4 }, "indicator_count": 5763, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "Yara Detections: Mirai_Botnet_Malware", "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Elf:mirai-ahc\\ [trj]", "Ddos:linux/gafgyt.ya!mtb", "Win.ransomware.wannacry-6313787-0", "Mirai", "Sf:wncryldr-a\\ [trj]", "Ransom:win32/wannacrypt.h", "Unix.trojan.mirai-7100807-0" ], "industries": [ "Government", "Healthcare", "Civilian society" ], "unique_indicators": 6859 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/line.pm", "whois": "http://whois.domaintools.com/line.pm", "domain": "line.pm", "hostname": "root443.line.pm" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66ba01cb6ef731c30679908b", "name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney", "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:36:27.020000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2826, "CIDR": 2, "URL": 549, "email": 12, "hostname": 587, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 388, "CVE": 4 }, "indicator_count": 5968, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba036c462091e25e94de49", "name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ", "description": "", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:43:24.286000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": "66ba01cb6ef731c30679908b", "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2786, "CIDR": 2, "URL": 457, "email": 12, "hostname": 535, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 367, "CVE": 4 }, "indicator_count": 5763, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://root443.line.pm", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://root443.line.pm", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776613036.1840217 }