{ "type": "URL", "indicator": "https://roundcube.nevm.de/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://roundcube.nevm.de/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3893188171, "indicator": "https://roundcube.nevm.de/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 30359 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/nevm.de", "whois": "http://whois.domaintools.com/nevm.de", "domain": "nevm.de", "hostname": "roundcube.nevm.de" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://roundcube.nevm.de/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://roundcube.nevm.de/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638886.3590548 }